Skip to main content

Posts

Featured

CSAW 2017 CTF Write-up: Web littlequery

### Points
200

### Readme
```
I've got a new website for BIG DATA analytics!
http://littlequery.chal.csaw.io
```

### Steps

0. The website has nothing than one login page. When trying to login with some dummy data like test/test; we noticed that the password field is somehow modified before the data is submitted to server.

Open the source of the page, we find that there is one javascript file at `js/login.js` that is used to handle the form data.

Open the javascript file, it contains only one function:

```
$(".form-signin").submit(function () {
    var $password = $(this).find("input[type=password]");
    $password.val(CryptoJS.SHA1($password.val()).toString());
});
```

So, we know that the input password is actually be hashed to SHA1 format before submitting (and probably saved in the same format) to server.

We then come up with the idea, if we can know the username and hashed password, we can use that directly to login to the website without the need of finding…

Latest Posts

CSAW 2017 CTF Write-up: Web orange v1

Shellcode that bring back tty input

Gingerbread (Android 2.3.3) for Nexus One - GRI40

Latest of Android 2.2 Froyo - FRF72

How to change SMSC number of Android

Auto-shutdown for Linux machine

Setting proxy for Android by GUI (official way)

How to get EMMA code coverage of Android

How to set proxy for Android (updated for 1.5 and 1.6_r1 versions)

Lotus Notes: This database cannot be read due to an invalid on disk structure