Every year before one of the largest Security Conference of India NullCon, the nullcon team hosts a CTF. One of the most interesting challenges which is worth participating.
IT's FREE of COST
This particular blog is for the first of the challenge of web applications called as WEB100
This one i think was the most easiest for the ones atleast who are music lovers..
Chris Martin was the Hint..
For those who don't know him..
Will strongly suggest to know him through his outstanding songs.
It gave us a small hint on trying the same as user name and password.
Oops My IP is locked. Somebody is watching..Hmm
View Source was my next weapon. Woooo i got something.. Looks like Base 64. Is it...Oh yeah it is..
curl -w http://188.8.131.52/web100/ gives the same result.
Decoded the same. Sample command is
echo "YOUR STRING" | base64 -d
echo "MmI0YjAzN2ZkMWYzMDM3NWU1Y2Q4NzE0NDhiNWI5NWM=" | base64 -d
Now there are two ways to crack this. One is to identify the kind of string it is and then see if it can be cracked.
The second one is easiest. Google :)
I was lucky and got a couple of good results.
With username and password as below gave us the flag:
Wait, there was another hindrance. Ah WAF again....Gosh..
To bypass the WAF change the X-Forwarded-For header to 127.0.0.1. Ofcourse Martin has to come home...
Yeahhh it is paradise....