OWASP Hackademic Challenge 10

Another day, another challenge…

Today’s challenge will conclude the Hackademic Challenge.

Below is the scenario:

Would you like to become an active hacker ?
How about becoming a member of the world’s largest hacker group:
The n1nJ4.n4x0rZ.CreW!

Before you can join though, you ‘ll have to prove yourself worthy by passing the test that can be found at: http://n1nj4h4x0rzcr3w.com

If you succeed in completing the challenge, you will get a serial number, which you will use for obtaining the password that will enable you to join the group.

Your objective is to bypass the authentication mechanism, find the serial number and be supplied with your own username and password from the admin team of the site.

Clicking the link we see the following screen:

challenge10intro

Doing a right click, page source we see the following:

challenge10pagesource

Looking at the line above the password line we noticed that there is a hidden field called “LetMeIn” which is set to false. What if we set this to true?

Going back to the our original screen, and clicking on Tools –> Web Developer Extension –> Forms –> Display Form Fields we see the following screen:

challenge10formfields

Changing the field from “False” to “True” and pressing the “Login” button we see the following:

challenge10encoding

Hmm… there’s an alert box that has encoding in it. Could this encoding contain the serial number?

Copying the encoding and going to Google we search for “Decoder online”. We found a website HERE

Changing the encoding type from Base64 to URL encoding and pressing “Decode” we see the following:

challenge10serialnumber

We have the serial number!

Going back to the challenge and pressing Enter we’re presented with the following screen:

challenge10email

Entering our name and serial number, and pressing the send button we see the following screen:

challenge10congrats

Lesson learned:

Our trick of right clicking and viewing the page source helped us. We noticed that there is a hidden field titled, “LetMeIn”. Developers believe that just because a field is hidden a penetration tester could not exploit these fields. This is further from the truth.

After we have tampered with the hidden field we are next encountered with encoding. Doing a quick Google search we found an encoder/decoder online that we can use to decode the encoding.

Once that decoding is done we entered our name and serial number on the next screen and we have completed the challenge.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s