OWASP AppSec EU 2011 - Second Challenge Released!

fcerullo · 21-03-2011 4:32pm #1

Hi there,

Here is the second challenge to win a free entrance ticket to AppSec EU 2011!

Jotto - The Game

The computer will think of a five letter word with unique letters. After you attempt to guess the word, the computer will tell you whether you guessed the word successfully, or how many of the letters in your word match the computer's word. Keep on submitting five letter words until you have guessed the computer's word.
In order to win an free ticket to AppSec EU 2011 you need to hack the game & database of Jotto.

Once you solve the exercises, please send us an email to ireland@owasp.org with your full name and details on how you accomplished this goal.

The first one who solves these exercises gets a free ticket to OWASP AppSec EU 2011!

Please visit http://www.appseceu.org/?page_id=273 to find out further details about the challenge.

A big THANKS goes to Mordecai for setting up and customizing the challenge.

Thank you and best of luck everyone!

Fabio Cerullo

dlofnep · 21-03-2011 5:29pm

Thanks

Will give it a bash.

chuckleberryfin · 21-03-2011 5:40pm

I think I got it first, but my name wasn't displaying on the hacked page at first. Not sure if it's a bug, probably not though.

It wasn't. ;;

dlofnep · 21-03-2011 5:46pm

Done

(as peann)

chuckleberryfin · 21-03-2011 5:47pm

Ah no, I messed up.

Curse you owasp!!

dlofnep · 21-03-2011 6:54pm

I re-submitted my email as my first e-mail wasn't very thorough.

Also, just like vicnum - it's possible to cheat this game without actually hacking it. I contacted the developer the last time, but he didn't correct it for this game unfortunately.

chuckleberryfin · 21-03-2011 9:36pm

Can I ask, what's the way to cheat?

dlofnep · 21-03-2011 10:31pm

I can't say, or I'll give it away. I contacted the app-developer before about this and offered a remedy to correct it. Suffice to say, he hasn't solved it yet

chuckleberryfin · 21-03-2011 11:36pm

Ah right, can you PM it? I finished the challenge this afternoon.

dlofnep · 22-03-2011 3:11pm

Sent you a PM

fcerullo · 23-03-2011 9:11am

I’m glad to announce Marco Bonetti (@_sid77) from Italy is the lucky winner of a free ticket to AppSec EU 2011.

Here is how he hacked the Jotto game & database:

I fired up my copy of Burp Suite and I started playing the game.

Beating the game is pretty straightforward: after choosing a nickname (like “sid77″) I landed on this page:
http://jotto.ciphertechs.com/cgi-bin/jotto1.pl . There are some hidden fields within the submit form, the most important is the one named ”guess”: its value is the rot13 encrypted value of the word you have to guess! For example, “bcren” is “opera”, “oebxr” is “broke” and so on. Recognizing a rot13 encrypted value is easy: the cipher text (“bcren”) is exactly as long as the plain text (“opera”), this is a hint that the encryption scheme could be something easy to break, furthermore, similar words have the same similar letters (like “cebor” and “cebir” which translate into “probe” and “prove” respectively). So I opened my terminal, started up the rot13 console program (it’s part of the BSD-games package) and I was able to submit the right solution.

Beating the game is not enough, though. Next step is to hack it and managing to submit a 0 guesses solution. I was able to accomplish this, taking a look at http://jotto.ciphertechs.com/cgi-bin/jotto2.pl which is the landing page after submitting a solution. Inspecting the “CONTINUE” button reveals more hidden fields. Again, the interesting one is the ”cnt” value which represents the current number of guesses. As before, tampering with the hidden fields is the right thing to do: submitting a request with “cnt” set 0 allowed me to hack the game. Hitting the “CONTINUE” button will bounce the connection to http://jotto.ciphertechs.com/cgi-bin/jotto3.pl and then to
http://jotto.ciphertechs.com/jotto4.php , this php page is the entry point for the last step: hacking the db.

In order to hack the db I re-used the same SQL injection which was available during the first challenge: submitting a request for “sid77′ OR ’1′=’1″ allowed me to see all available entries inside the “results” table. The worst score was the first one there: “find the last name in the jotto file has guessed bjnfc in 2147483647 guess(es) on 2011-03-15 09:19:49″. After an unsuccessful attempt at hacking the db using the nickname “find the last name in the jotto filesid77″ I actually read the meaning of those words and started poking around with the webserver, trying a combination of the words “appseceu”, “owasp” and “jotto”. While hitting the url http://jotto.ciphertechs.com/jotto/ I was greeted with a ”Directory listing not allowed” error code instead of the usual “Not found”: I was on the right track! The jotto file was hosted over at http://jotto.ciphertechs.com/jotto/jotto . The last name was “owasp” so I repeated the steps to hack the game using “owaspsid77″ as the nickname and I was able to write my nickname in http://jotto.ciphertechs.com/jottodbhack.php .

31-03-2011 4:39am

Your wordpress has XSS.

http://www.appseceu.org/?s=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

Procasinator · 31-03-2011 12:22pm

900913 wrote: »
Your wordpress has XSS.
http://www.appseceu.org/?s=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

Probably introduced by the theme.

Maybe someone should let the author know.
Cause if it is the theme, 1452 people have bought the theme.

http://themeforest.net/item/convergence-community-wordpress-theme/34924

OWASP AppSec EU 2011 - Second Challenge Released!

Comments