Hackcon 2017

Pranav Jain
Aug 27, 2017 · 3 min read

Noobcoder

A junior recently started doing PHP, and makes some random shit. He uses gedit as his go-to editor with a black theme thinking it was sublime.So he made this login portal, I am sure he must have left something out. Why don’t you give it a try ?Server:http://defcon.org.in:6062

When following the link, a login page is provided which asks for username and password.

when we try to submit some random username and password, it shows

As the question says that gedit is being used, I searched for any temporary files used by gedit.
Apparently the temporary file of gedit is <filename>~ i.e name of file proceeded by a “~” sign. From the url, we can see that the php file is “checker.php”.
Therefore the temporary file should be “checker.php~”. When tried to access the file, we get checker.php file.

It is clearly string comparison vulnerability. Therefore when given input as: username = 0
password = 0e1

We get the flag: d4rk{l0l_g3dit_m4ster_roxx}c0de

Magic

Everything disappears magically. Can you magically prevent that. http://defcon.org.in:6060/index.php

When following the link, we are provided with another login page

After several tries of sql injection, xss and other attacks, I decided to take a look at the cookies. But there are no cookies on the page. Maybe the cookies had expired!!
So I used “curl” with -I option to get cookies if there are any as the page loads.

We get a total of 438 cookies. As we can see that the set cookie parameter contains the characters:
. — + %2B %3C %3E %5D

When url decoded, the characters are: . — + [ ] < >

Clearly, these are the characters of brainfuck. So after combining all decoded cookies we get a brainfuck message. When decoded, we get the following message:
username: abERsdhw password: HHealskdwwpr

When logging with the following details,
we get the flag : d4rk{c00k13s_4r3_fun}c0de

Not Web

I hate JS, I seriously do. It is a mess.

The task provided us with zip file named ihatejs.js.zip. When we unzip the file, we find a js file named ihatejs.js.

The file contained a lot of js code.
I simply copied all the js code and paste it in the console of google chrome.

The flag was printed on the console (pretty easy)

The flag was: d4rk{ccjccpbsvrafrcatbpchjydiio}c0de

)
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade