OWASP 2012 Online Competition

OWASP 2012 Online Competition starts from 05/01/2012. The details can be found at https://www.hacking-lab.com/user/cases/cases.html?event=284

I spent 8 hours on 05/02/2012 and solved all challenges. Here are my solutions to the challenges:

1. 8018 OWASP Hackademic Challenge 1. There is an unusual element on the source code of the page:   YXBwc2VjX3VzYTp0aGlzZWFz  this is base64 encoding of appsec_usa:thiseas. That's the user name and password for the portal. 
2. 8019 OWASP Hackademic Challenge 2. The goal is to find the password to the website. However, the website hides its password within JavaScript as shown below. I just used FireBug and found the password:   "take a break"

	function GetPassInfo(){
	var madhouuuuuuuseeee = "givesacountinatobp laryk"
	var j = madhouuuuuuuseeee.charAt(1); var h = madhouuuuuuuseeee.charAt(0); var l = madhouuuuuuuseeee.charAt(17);
	var g = madhouuuuuuuseeee.charAt(2); var i = madhouuuuuuuseeee.charAt(6); var x = madhouuuuuuuseeee.charAt(18);
	var l = madhouuuuuuuseeee.charAt(3); var p = madhouuuuuuuseeee.charAt(2); var m = madhouuuuuuuseeee.charAt(20);
	var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10); var d = madhouuuuuuuseeee.charAt(3);
	var bb = madhouuuuuuuseeee.charAt(6); var d = madhouuuuuuuseeee.charAt(13); var r = madhouuuuuuuseeee.charAt(8);
	var a = madhouuuuuuuseeee.charAt(0); var d = madhouuuuuuuseeee.charAt(3); var r = madhouuuuuuuseeee.charAt(16);
	var b = madhouuuuuuuseeee.charAt(1); var e = madhouuuuuuuseeee.charAt(4); var j = madhouuuuuuuseeee.charAt(9);
	var c = madhouuuuuuuseeee.charAt(2); var f = madhouuuuuuuseeee.charAt(5); var g = madhouuuuuuuseeee.charAt(4);
	var j = madhouuuuuuuseeee.charAt(9); var h = madhouuuuuuuseeee.charAt(6); var l = madhouuuuuuuseeee.charAt(11);
	var g = madhouuuuuuuseeee.charAt(4); var i = madhouuuuuuuseeee.charAt(7); var x = madhouuuuuuuseeee.charAt(21);
	var l = madhouuuuuuuseeee.charAt(11); var p = madhouuuuuuuseeee.charAt(4); var m = madhouuuuuuuseeee.charAt(4);
	var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10); var d = madhouuuuuuuseeee.charAt(3);
	var t = madhouuuuuuuseeee.charAt(18); var n = madhouuuuuuuseeee.charAt(12); var e = madhouuuuuuuseeee.charAt(4);
	var a = madhouuuuuuuseeee.charAt(0); var o = madhouuuuuuuseeee.charAt(13); var f = madhouuuuuuuseeee.charAt(5);
	var b = madhouuuuuuuseeee.charAt(1); var q = madhouuuuuuuseeee.charAt(15); var h = madhouuuuuuuseeee.charAt(6);
	var c = madhouuuuuuuseeee.charAt(2); var h = madhouuuuuuuseeee.charAt(6); var i = madhouuuuuuuseeee.charAt(7);
	var j = madhouuuuuuuseeee.charAt(9); var i = madhouuuuuuuseeee.charAt(7); var y = madhouuuuuuuseeee.charAt(22);
	var g = madhouuuuuuuseeee.charAt(4); var p = madhouuuuuuuseeee.charAt(4); var yy = madhouuuuuuuseeee.charAt(23);
	var l = madhouuuuuuuseeee.charAt(11); var k = madhouuuuuuuseeee.charAt(10); var bb = madhouuuuuuuseeee.charAt(14);
	var q = madhouuuuuuuseeee.charAt(20); var n = madhouuuuuuuseeee.charAt(12);
	var m = madhouuuuuuuseeee.charAt(4); var o = madhouuuuuuuseeee.charAt(13);
	var p = madhouuuuuuuseeee.charAt(4)
	var Wrong = (bb+""+q+""+yy+""+d+""+t+""+f+""+t+""+r+""+x+""+d+""+f+""+yy)
	if (document.forms[0].Password1.value == Wrong)
	location.href="index.php?Result=" + Wrong;
	}

3. 8020 OWASP Hackademic Challenge 3. The goal is to test XSS issue and generate a alert box with the message of "XSS!". Unfortunately, it seems that the challenge is only a string matching XSS problem. The matching string is  <script> alert('XSS!'); </script>  
4. 8021 OWASP Hackademic Challenge 4. This challenge is just a variation of challenge 3 with same goal. The matching string is:  <script> alert(String.fromCharCode(88,83,83,33)); </script> 
5. 8022 OWASP Hackademic Challenge 5. The goal is to access the hidden content with their special web browser. The answer is to change user agent of web browser:  User-Agent: p0wnBrowser version 2.30
6. 8023 OWASP Hackademic Challenge 6. The goal is to find the password to access the website. The password is hidden into JavaScript again. The JavaScript can be obtained by using Firebug and JavaScriptShell. The password is:  h@ckers!
7. 8024 OWASP Hackademic Challenge 7. The goal is to gain admin access to the website. After spidering the website, I find an interesting file http://hackademics.hacking-lab.com/ch007/index_files/lastlogin.log. Here is its content:

30 31 30 30 31 31 30 30 20 30 31 31 30 30 30 30 31 20 30 31 31 31 30 30 31 31 20 30 31 31 31 30 31 30 30 20 30 30 31 30 30 30 30 30 20 30 31 30 30 31 31 30 30 20 30 31 31 30 31 31 31 31 20 30 31 31 30 30 31 31 31 20 30 31 31 30 31 30 30 31 20 30 31 31 30 31 31 31 30 20 30 30 31 30 30 30 30 30 20 30 31 31 30 30 30 31 30 20 30 31 31 31 31 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 30 30 30 30 30 20 30 31 30 30 30 30 30 31 20 30 31 31 30 31 31 30 30 20 30 31 31 30 31 30 30 31 20 30 31 31 30 30 30 31 31 20 30 31 31 30 30 31 30 31 20 30 30 31 30 30 30 30 30 20 30 31 30 31 30 30 30 30 20 30 31 31 31 30 30 31 30 20 30 31 31 30 30 31 30 31 20 30 31 31 31 30 31 30 30 20 30 31 31 31 30 31 30 30 20 30 31 31 31 31 30 30 31 20 30 30 31 30 31 31 30 30 20 30 30 31 30 30 30 30 30 20 30 31 31 31 30 31 30 31 20 30 31 31 31 30 30 31 31 20 30 31 31 30 30 31 30 31 20 30 31 31 31 30 30 31 30 20 30 31 31 30 31 31 31 30 20 30 31 31 30 30 30 30 31 20 30 31 31 30 31 31 30 31 20 30 31 31 30 30 31 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 30 30 30 30 30 20 30 31 30 30 30 30 30 31 20 30 31 31 30 31 31 30 30 20 30 31 31 30 31 30 30 31 20 30 31 31 30 30 30 31 31 20 30 31 31 30 30 31 30 31 20 30 30 31 30 30 30 30 30 20 30 31 31 30 30 30 30 31 20 30 31 31 31 30 31 30 30 20 30 30 31 30 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 31 30 30 20 30 30 31 30 31 31 31 31 20 30 30 31 31 30 30 31 31 20 30 30 31 30 31 31 31 31 20 30 30 31 31 30 30 31 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 30 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 31 30 31 20 30 30 31 31 31 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 31 31 30 30 30 30 31 20 30 31 31 30 31 31 30 

   It looks like ASCII code in binary format after changing 30 to 0 and 31 to 1 and 20 to separator. A simple Python script decodes its content as: 

Last Login by: Alice Pretty, username: Alice at 14/3/2011 10:59:00am

        Now, we have an user name "Alice" which can be used to access the website. I noticed that the session id remained same for different sessions of Alice. The session id is 64489c85dc2fe0787b85cd87214b3810.0 The first part looks like md5. 64489c85dc2fe0787b85cd87214b3810=md5(Alice). OK, I just need to generate a new session token for admin. After several attempts, the system accepts this cookie:  e3afed0047b08059d0fada10f400c1e5.1

where md5(Admin) = e3afed0047b08059d0fada10f400c1e5

8. 8025 OWASP Hackademic Challenge 8. The goal is to access the website as admin. The backdoor shell only support these commands: ls,whoami,id,help,su. If su is typed, the shell asks for user name and password. I also noticed that there is an interesting image file found by using "ls" command: http://hackademics.hacking-lab.com/ch008/4admin0Nly.jpg. It is not a normal JPG image file. Its content is:
   2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 55 73 65 72 6e 61 6d 65 3a 20 73 75 70 65 72 61 64 6d 69 6e 20 50 61 73 73 77 6f 72 64 3a 20 30 77 40 73 70 55 53 41 79 30 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d
   
   The ascii values of its contents contains:  Username: superadmin Password: 0w@spUSAy0 
9. 8026 OWASP Hackademic Challenge 9. The goal is to gain admin access to the website.
   1) Change the user agent of the browser to use
   2) The shell is accessible from http://hackademics.hacking-lab.com/ch009/y0_man_y0.php
   3) Use "ls" command and find some interesting pages: adminpanel.php, y0_man_y0.php, log.history.php
   4) In the source code of http://hackademics.hacking-lab.com/ch009/log.history.php, there is some interesting comments:
   

   slrig_$$ap_$GN0RTS_4_s1_s1Ht :drowssap nimda :emanresu Decode the comment and reverse the order, I get the following message: 'username: admin password: tH1s_1s_4_STR0NG$_pa$$_girls' 5) Use the above user name and password to log in the admin panel page. 8027 OWASP Hackademic Challenge 10. The goal is to gain access to the website. 1) There is a hidden field called LetMeIn=False. I changed it LetMeIn=True and accessed the website. 2) The alert function looks like alert("01010011 01100101 01110010 01101001 01100001 01101100 00100000 01001110 01110101 01101101 01100010 01100101 01110010 00111010 00100000 01010100 01001000 01001001 01010011 00101101 01001001 01010011 01001111 01000100 01000100 00101101 01000011 01000001 01010101 01010011 01000101 00101101 01001001 01000001 01001101 01000001 00101101 01010011 01010101 01010000 01000001 00101101 01001000 01000001 01000011 01001011 01000001 ") A simple python script can decode this as  THIS-ISODD-CAUSE-IAMA-SUPA-HACKA 3) Enter this code and mission accomplished.  7019 AES Bit-Flipping Attack. The goal is to regenerate a valid ticket based on an expired AES CBC encrypted ticket: B60086CD1E68CEF25BC1BEC429D8F3C01D45F0196331DA5012B99067A25463A493CCBF690FD88F850BD5273C5A7D72B6 1) Burp is a perfect tool to automate this attack. Burp Intrude has bit flipper built-in. 2) There are lots of valid tickets generated by Burp. One example is: 60086CD1E68CEF25BC1BEC429D8F3C01D45F0196331DA5012B99063A25463A493CCBF690FD88F850BD5273C5A7D72B6 And here is the result from server: Hello hacker10 (email: You've logged-in successfully Ticket valid until: 20141011 Solution code: X678RWER_HAXXOR  2312 Blind SQL injection. The goal is to write a small program to read the email address of the customer  “Franziska Knobel”  through blind SQL injection. 1) The email address is  hacker30@hack.er 2) This python script was written in short time just for solve the problem as soon as possible: 2313 Time Based Blind SQL Injection. The goal is to write a small program to read the phone number of"Sandra Fischer” using time based blind SQL Injection. 1) The phone number is  07254455882 2) This python script was written in short time just for solve the problem as soon as possible.