Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

Arduino
Backdoor Challenge Land CTFLearn CyberEDU Webhacking.kr TryHackMe, THM Short CTF
Hacking Tools
Donate
30 August 2020

Webhacking.kr write-up: old-6

3 minutes to read
Link point tag
old-6 100 Session hijacking, scripting

Welcome back to another webhacking.kr CTF challenge. Today, we are going through for another session hijacking but this time we have to complete the challenge with basic scripting.

question

source

On the front page, we are greeted with ID and PW and we have no idea what is the credential used for. By studying the given source code, the credential was assigned into the cookies. Before that, both ID and PW values are encoded with base64 for 20 times (red box). Then, some of the characters on the encoded credential is replaced with special characters (blue box).

cred

If you scroll to the bottom of the page, you will notice that the credential used to solve the challenge is admin:nimda. Hence, our main goal is the hijack the cookie with the given credential by repeating the above steps.

  1. Encode the ‘admin’ and ‘nimba’ in base64 for 20 times
  2. Replace some of the characters associates with the source code
  3. Encode the base64 with URLencode as the cookies are in URLencode format
import base64
import urllib.parse

user = b"admin"
password = b"nimda"

for i in range(20):
        user = base64.b64encode(user)
        password = base64.b64encode(password)

euser = user.decode('utf-8')
epass = password.decode('utf-8')

#string replacement to url encode instead of symbol

euser = euser.replace('1','!').replace('2','@').replace('3','$').replace('4','^').replace('5','&').replace('6','*').replace('7','(').replace('8',')')
epass = epass.replace('1','!').replace('2','@').replace('3','$').replace('4','^').replace('5','&').replace('6','*').replace('7','(').replace('8',')')

#urlencode

euser = urllib.parse.quote(euser)
epassword = urllib.parse.quote(password)

print("\033[1;31;40m user id: \033[0m")
print(euser)
print("\033[1;36;40m user password: \033[0m")
print(epassword)

script

After that, copy the encoded id and password into the ‘user’ and ‘password’ cookies, respectively.

copy

Refresh the page and solve the challenge.

solve

tags: webhacking.kr - session_hijacking - scripting

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)

Vortex

© 2020 DesKel