Whitehat Wargame websecurity challenges

 Walkthrough of some Web security challenges that are present at Whitehat wargame

Note: It is the walkthrough of challenge that is present not at the above link.
It is not a CTF

WebSecurity Challenge Web001

Visiting the URL mentioned.

So the flag is on web page itself. Lets check the view source.

The flag was in the view source as shown above.

WebSecurity Challenge Web002

Visiting the URL.

So nothing on this page.
Lets check the view source.

Search engines are guided by robots file.
Checking out for robots.txt file.

There was one entry.

Visiting the URL gave me the flag as shown below.

WebSecurity Challenges Web003

Visiting the URL gave me a login page as shown below:

Checking out view source:

Tried to login with username as test and password as test.

 The page did not have the flag.

After observing and analyzing cookie value 2 observation was made:
1)The user name test goes in the request.
2)The error on the page says that you are not admin.

So I refreshed the page and replaced test with admin as shown below:

Send the request.

And I got the Flag.

WebSecurity Challenges Web004

Quite a tricky challenge

Visiting the URL shows a password page.

There was also a script embed in the page. This challenge was all about decoding the script.
Encoding type is "6 character encoding jsfuck" It took lot of struggle to know about it and execute.

Executing the script gave the password.
Entering the password gave the flag.

WebSecurity Challenges Web005

Visiting the URL:

Login page. I can think of 3 ways to bypass login page.
1) Sql injection.
2) Parameter tampering.
3) Session fixation

Starting with some SQL injection payloads. I used many custom made payload and available fuzzers to solve it.
I used the following to get the Flag

Submitted the request and got the flag.


Popular posts from this blog

Minishare 1.4.1 Bufferoverflow


Apache AXIS server pentest