Sunday, February 19, 2017

#ACKIM by Nullcon

Every year before one of the largest Security Conference of India NullCon, the nullcon team hosts a CTF. One of the most interesting challenges which is worth participating.


This particular blog is for the first of the challenge of web applications called as WEB100

This one i think was the most easiest for the ones atleast who are music lovers..

Chris Martin was the Hint..

For those who don't know him..

Will strongly suggest to know him through his outstanding songs.

It gave us a small hint on trying the same as user name and password.

user: chris

Oops My IP is locked. Somebody is watching..Hmm

View Source was my next weapon.  Woooo i got something.. Looks like Base 64. Is it...Oh yeah it is.. 


curl -w gives the same result.

Decoded the same. Sample command is 

echo "YOUR STRING" | base64 -d

echo "MmI0YjAzN2ZkMWYzMDM3NWU1Y2Q4NzE0NDhiNWI5NWM=" | base64 -d


Now there are two ways to crack this. One is to identify the kind of string it is and then see if it can be cracked.

The second one is easiest. Google :)

I was lucky and got a couple of good results.

With username and password as below gave us the flag:


Wait, there was another hindrance. Ah WAF again....Gosh..

To bypass the WAF change the X-Forwarded-For header to Ofcourse Martin has to come home...

Yeahhh it is paradise....

No comments:

Post a Comment