hacking, owasp, web application security

OWASP Hackademic Challenge 6

Another day, another challenge…

Today’s challenge will be Challenge 6 of 10 from the OWASP Hackademic Challenge.

Below is the scenario:

In this assignment you must prove your… knightly skills! Real knights have not disappeared.

They still exist, keeping their secrets well hidden.
Your mission is to infiltrate their SITE. There is a small problem, however… We don’t know the password!
Perhaps you could find it?
Let’s see!
g00d luck dudes!

Walkthrough:

Clicking the link we’re presenting with the following:

challenge6intro

Looking at the page source we see the following:

challenge6pagesource

The scripting tag tells us that the code is JavaScript. Looking inside of the tag we see the document.write function – meaning that the data is being written to the page. The next set of characters are encoding. We need to decode it to get the message.

After a quick search on Google we find a decoder here.

Putting the encoded characters in the decoder we get the following:

encoder1

Scrolling down we see the following:

encoder2

Hmm… there’s a password that is commented out inside the mystart function.

We also have another function GetPassInfo() that checks for the value of the form to see if it’s easy. If so – then the result is easy, otherwise it’s the wrong code.

Let’s see if we can find where these functions are being used…

Scrolling down some more we have encountered were the functions are used:

encoder3

We see that when clicking on the button the button invokes the mystart and checkinfo functions.

Let’s try putting in the first commented out password of: 01234567890123456, we get the following:

encoder4

encoder5

So that was not the correct password. Let’s try entering: easyyyyyyy!

encoder6

As you can see that was the correct password.

Lesson learned:

  1. Whenever in doubt: VIEW THE PAGE SOURCE. The page source gives the tester GEMS that can be used or lets you know what direction to go into
  2. You can find out a lot about the language being used by the HTML tags being used. The developers tried to do security through obscurity – meaning doing security through hiding. This was done by using encoding and JavaScript functions. We were able to deflect this attempt by decoding the encoding.
  3. Look through the code. I know this can be difficult for testers that do not have a lot of coding experience. This is where Google comes in. No one knows everything, and you need to know when to ask or seek help. From the scenario we know that we need to find the code to unlock the challenge. Looking through the code we see two possible codes. The first one did not work as the code was commented out. The second code worked as you can see from above.