Another day, another challenge…
Today’s challenge will be Challenge 6 of 10 from the OWASP Hackademic Challenge.
Below is the scenario:
In this assignment you must prove your… knightly skills! Real knights have not disappeared.
They still exist, keeping their secrets well hidden.
Your mission is to infiltrate their SITE. There is a small problem, however… We don’t know the password!
Perhaps you could find it?
g00d luck dudes!
Clicking the link we’re presenting with the following:
Looking at the page source we see the following:
After a quick search on Google we find a decoder here.
Putting the encoded characters in the decoder we get the following:
Scrolling down we see the following:
Hmm… there’s a password that is commented out inside the mystart function.
We also have another function GetPassInfo() that checks for the value of the form to see if it’s easy. If so – then the result is easy, otherwise it’s the wrong code.
Let’s see if we can find where these functions are being used…
Scrolling down some more we have encountered were the functions are used:
We see that when clicking on the button the button invokes the mystart and checkinfo functions.
Let’s try putting in the first commented out password of: 01234567890123456, we get the following:
So that was not the correct password. Let’s try entering: easyyyyyyy!
As you can see that was the correct password.
- Whenever in doubt: VIEW THE PAGE SOURCE. The page source gives the tester GEMS that can be used or lets you know what direction to go into
- Look through the code. I know this can be difficult for testers that do not have a lot of coding experience. This is where Google comes in. No one knows everything, and you need to know when to ask or seek help. From the scenario we know that we need to find the code to unlock the challenge. Looking through the code we see two possible codes. The first one did not work as the code was commented out. The second code worked as you can see from above.