For this challenge, the initial start is pretty obvious, or at least i think so. The first thing we see when we upload the webpage is the image that you see above, which contains two pieces of code. Thats our first clue. The second clue is the name of the challenge. So let the research start. I will not go into detail and will just show you the solution, however I will post links in the end of this post so you can read by yourself and, understand what and how it works. When I do a web challenges I like to examine the page. As I mentioned above we…
-
-
Magician – #Virseccon2020
Wow lets do some magic! For this challenge we are presented with an input field a submit button and some kind of comparison in the button. I will go through my thought process instead of going directly to the solution because I think some of the things I did can be used in enumeration in the future. First I took a look what 0e953532678923638053842468642408 is. I used Hash Analyzer provided by https://www.tunnelsup.com/hash-analyzer/ The result was that this hash is an MD5 or MD4. Because we see the ‘ == ‘ that means that some comparison will be done. After playing with the input I discovered that there is a function…
-
HotAccess – #Virseccon2020
We are greeted with page talking about modules. The recon part was clicking the two provided links and checking what changes. Then I noticed this. My first though was can I get somewhere else in the dir? Yes I can. I used the Repeater in Burp again to explore this. Can we view the password file in /etc ? Yes we can! That means I can traverse directories from the url and that is awesome! After some trail and error I find the correct file to be checking (.htaccess). Oh look what do we have here in the response! Lets put that directory in the URL and see what happens.…
-
Countdown – #Virseccon2020
By the name of the challenge we can guess that the solution will involve some kind of time. We don’t have so much to go with in the beginning. We have a webpage with a button on it. When we click the button we are send to another page that say the thing has exploded. How did I approach this. Use Burp Suite to intercept the get request. If we examine this screen we can see that the name of the cookie is pretty specific (“detonate_time) , and as I mentioned in the beginning in my head the solution had something to do with timing. If we click on the…