In level 1 password was send in clear text, but here in level 2 sha1 hash of the password is sent instead. So this time the sha1 JS client code is being used: <script type="text/JavaScript" src="/js/sha1.js"></script>.
login: admin' or 1=1-- -
pass: random
=> Wrong username and/or password!
So I guess this time username field is no more injactable but password still is. We just need to bypass the sha1 JS script to send what we want instead of the hash. I'm always using NoScript so I used that to block it but you can also use a proxy to send your payload.
login: admin
pass: ' or 1=1#
=> Login successful!
So let's fire SQLmap again, we need to increase the risk to level 3 in order to perform OR based tests. SQLmap will use SLEEP() (time based blind SQLi) to solve this level, example: username=admin&password=admin' OR SLEEP(5) AND 'lDFe'='lDFe (to do it with a script replace what is after the AND with a sub-query you want to test like password length and content char by char).
Of course we need to crack the sha1 hash. The username suggest you to use Johnny a.k.a. john the ripper to crack the password but why fire the overkill weapon when crackstation or hashkiller can tell you the password is first blood.
Note: don't forget to enable JavaScript back or stop using a proxy or keep blocking but send the hash instead of the password (yeah cracking the password hash is not necessary because what is sent is the hash so that's like it is the password, nothing change, so this sha1 pseudo-security client side is 100% useless).
Connect with credentials and get level3 message: Great job! Now visit /tasks/3_YRvXHvCrdizCccUX1LHph6B/.
But our dump is 180MB and using the script filled the 4GB RAM of my VM and froze it.
So here is what I read about improving the memory impact:
When you read PCAP file with rdpcap, the full list of decoded packets is saved in memory. If you need to do some processing per packet and do not need the full list then it is much more memory efficient to use RawPcapReader
#!/usr/bin/env python """ Modified version of StalkR's script from http://blog.stalkr.net/2010/10/hacklu-ctf-challenge-9-bottle-writeup.html This version doesn't use any Popen calls, and ignores any errors while decoding - krx """
import zlib from base64 import b64encode, b64decode, b32encode, b32decode from string import translate, maketrans
# Extract packets from DNS tunnel # Note: handles fragmentation, but not packet reordering (sequence numbers) dn_pkt, up_pkt = '', '' datasent = False E = [] i = 0 # modified from rdpcap to PcapReader with PcapReader(infile) as pcap_reader: for pkt in pcap_reader: i+=1 if i % 1000 == 0: # Just for progress print i
ifnot pkt.haslayer(DNS): continue if DNSQR in pkt: if DNSRR in pkt andlen(pkt[DNSRR].rdata) > 0: # downstream/server d = pkt[DNSRR].rdata if datasent: # real data and no longer codec/fragment checks dn_pkt += d[2:] if dn_header(d)['lastfrag'] andlen(dn_pkt) > 0: u = uncompress(dn_pkt) if u: # Include the packet if decoding succeeded, # ignore it and move on otherwise E += [IP(u[4:])] dn_pkt = '' else: # upstream/client d = pkt[DNSQR].qname if d[0].lower() in"0123456789abcdef": datasent = True up_pkt += d[5:-len(tld)].replace(".", "") if up_header(d)['lastfrag'] andlen(up_pkt) > 0: u = uncompress(encoder(upstream_encoding, decode=up_pkt)) if u: # Include the packet if decoding succeeded, # ignore it and move on otherwise E += [IP(u[4:])] up_pkt = ''
Decoding an SSL connection requires either knowledge of the (asymmetric) secret server key and a handshake that does not use DH or the (base of) the symmetric keys used to run the actual encryption. Support was added to Wireshark with SVN revision 37401 to do this, so it became available with Wireshark 1.6. For instructions look at this question on ask.wireshark.org
Since SVN revision 36876, it is also possible to decrypt traffic when you do not possess the server key but have access to the pre-master secret. For more details, see this security.stackexchange.com answer or this step-by-step walkthrough. That answer also contains some suggestions on finding out why SSL/TLS sessions do not get decrypted. In short, it should be possible to log the pre-master secret to a file with a current version of Firefox, Chromium or Chrome by setting an environment variable (SSLKEYLOGFILE=</path/to/private/directory/with/logfile>).