Hackcon 2017
Noobcoder
A junior recently started doing PHP, and makes some random shit. He uses gedit as his go-to editor with a black theme thinking it was sublime.So he made this login portal, I am sure he must have left something out. Why don’t you give it a try ?Server:http://defcon.org.in:6062
When following the link, a login page is provided which asks for username and password.

when we try to submit some random username and password, it shows

As the question says that gedit is being used, I searched for any temporary files used by gedit.
Apparently the temporary file of gedit is <filename>~ i.e name of file proceeded by a “~” sign. From the url, we can see that the php file is “checker.php”.
Therefore the temporary file should be “checker.php~”. When tried to access the file, we get checker.php file.

It is clearly string comparison vulnerability. Therefore when given input as: username = 0
password = 0e1
We get the flag: d4rk{l0l_g3dit_m4ster_roxx}c0de
Magic
Everything disappears magically. Can you magically prevent that. http://defcon.org.in:6060/index.php
When following the link, we are provided with another login page

After several tries of sql injection, xss and other attacks, I decided to take a look at the cookies. But there are no cookies on the page. Maybe the cookies had expired!!
So I used “curl” with -I option to get cookies if there are any as the page loads.

We get a total of 438 cookies. As we can see that the set cookie parameter contains the characters:
. — + %2B %3C %3E %5D
When url decoded, the characters are: . — + [ ] < >
Clearly, these are the characters of brainfuck. So after combining all decoded cookies we get a brainfuck message. When decoded, we get the following message:
username: abERsdhw password: HHealskdwwpr
When logging with the following details,
we get the flag : d4rk{c00k13s_4r3_fun}c0de
Not Web
I hate JS, I seriously do. It is a mess.
The task provided us with zip file named ihatejs.js.zip. When we unzip the file, we find a js file named ihatejs.js.
The file contained a lot of js code.
I simply copied all the js code and paste it in the console of google chrome.
The flag was printed on the console (pretty easy)
The flag was: d4rk{ccjccpbsvrafrcatbpchjydiio}c0de
