Cover Image

The Enigma Group
 April 29, 2021    CTF

Basic Challenges


Starter 1 // Basic 1 - The Infamous Noob Test

  • right click > view source
  • find the password in the HTML source code
  • password is 39f13b


Starter 2 // Basic 2

  • the error message tells us there exists a folder called dontlookinhere
  • in there is a password.inc file
  • we can login using the credentials from the file
  • credentials are admin:rosebud101z


Starter 3 // Basic 3

  • the hint in the mission list says: "robots.txt"
  • by opening the robots.txt file we can see a directory /f0rk exists
  • in the directory a config.inc file exists
  • we can login usingthe credentials from the file
  • credentials are admin:f0rkblork


Javascript 1 // Basic 4

  • right click on the dropdown > inspect element
  • edit the select statement
  • add <option value="James">James</option>
  • click the Login button


Javascript 2 // Basic 5

  • inspect the source code
  • dont get baited by the fake password hax0r
  • enter the correct password skriptkid


Javascript 3 // Basic 6

  • inspect the source code
  • scroll all the way down past the newlines
  • find and enter the correct password Sauc3


Javascript 4 // Basic 7

  • inspect the source code
  • find and enter the correct password shifted


Javascript 5 // Basic 8

  • inspect the source code
  • decode the encoded password string
  • easy way is to simply enter unescape(pass) into the console while having the page open
  • enter the correct password ASCII-Chart


Spoofing 1 // Basic 16

  • Go to Network and "Edit and Resend" the "/basic/spoff/1/" request
  • add a X-Forwarded-For: 127.0.0.1 to the Request Header and resend


Spoofing 2 // Basic 17

  • Go to Network and "Edit and Resend" the "/basic/spoff/2/" request
  • change the "User-Agent:" to EnigmaFox in the Request Header and resend


SQL 1 // Basic 21

  • True Injection 1' or 1=1 --


SQL 2 // Basic 22

  • The id parameter of the news page seems to be injectable
  • Trying to access id=AAA gives us the used select statement
  • First we are trying to figure out how many colums the database has id=1 order by 3-- and which ones can be displayed id=6 union select 1,2,3 from users --
  • To display the username and password we can use the injection id=6 union select 1,password,username from users --
  • The username is administrator and the password column contains 6537d34fd1c080b5cb7f06dde3a26fe8
  • the given password does not work, but using one of the many online hash databases we find its a md5 hash for bl1nd
  • logging in using administrator:bl1nd works


SQL 3 // Basic 23

  • This challenge is basically the same as SQL 2 // Basic 22
  • The only difference is the server prevents entries which contain union select
  • We can simply use union all select and bypass this check
  • To display the username and password we can use the injection id=6 union all select 1,password,username from users --
  • The username is administrator and the password column contains 6cfdca6f9633968c72a2a6e0fe2756ca
  • the given password does not work, but using one of the many online hash databases we find its a md5 hash for asdfgh
  • logging in using administrator:asdfgh works


URL Manipulation 1 // Basic 27

  • enter anything into the password form
  • the text reads Error finding a in password.php
  • the URL ends with index.php?file=login.php
  • open index.php?file=password.php
  • you get the password 3e0f84


Variable Manipulation 1 // Basic 30

  • we are given a hint the pages/ directory might exist
  • reading the home.txt file shows us how to use the page viewer
  • opening index.php?page=<filename> allows us to read any file
  • the admin directory path is protected by a HTTP auth
  • apache stores http auth credentials in .htpasswd
  • we can read the htpasswd by opening ?page=../admin/.htpasswd
  • we get the encoded password dXWxIS6i6irN6
  • the decoded password dog


Variable Manipulation 2 // Basic 31

  • opening the page instaltly redirects you to /index2.php
  • going back to / makes us land at /index2.php again
  • inspecting the HTML sent by the server for / we find the html comment <!-- 911_411.php -->
  • opening /911_411.php completes this challenge


Variable Manipulation 3 // Basic 32

TODO


XSS 1 // Basic 40

  • enter Test<script>alert('XSS')</script>
  • you are done

XSS 2 // Basic 41

TODO


Auditing Challenges


Auditing 1

  • Opening /index.php/AAAA results in Your form action is /basics/auditing/1//index.php/AAAA
  • The goal is to achieve XSS (no one tells you, but for some reason it use. You have to guess or something)
  • Opening index.php/"><script>alert(1)</script> completes the challenge


Auditing 2

  • We can set the "admin" cookie to 1 in the Storage -> Cookies and reload the site to get the points


Auditing 3

  • The code simply checks the access value in any of $_GET or $_POST
  • we can edit the value of the hidden input field setting it to admin
  • clicking on Refresh Page afterwards completes the challenge