Main menu

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 
After Karma Trader from Level 4 was hit with massive karma inflation (purportedly due to someone flooding the market with massive quantities of karma), the site had to close its doors. All hope was not lost, however, since the technology was acquired by a real up-and-comer, Streamer. Streamer is the self-proclaimed most steamlined way of sharing updates with your friends. You can access your Streamer instance here: https://level06-2.stripe-ctf.com/user-nxtkwuhujp
 The Streamer engineers, realizing that security holes had led to the demise of Karma Trader, have greatly beefed up the security of their application. Which is really too bad, because you've learned that the holder of the password to access Level 7, level07-password-holder, is the first Streamer user.
 As well, level07-password-holder is taking a lot of precautions: his or her computer has no network access besides the Streamer server itself, and his or her password is a complicated mess, including quotes and apostrophes and the like.
 Fortunately for you, the Streamer engineers have decided to open-source their application so that other people can run their own Streamer instances. You can obtain the source for Streamer at git clone https://level06-2.stripe-ctf.com/user-nxtkwuhujp/level06-code. We've also included the most important files below.

This one was a real PITA - not from a concept, but from the protection put into place. It again was a persistent CSRF/XSS, but in this case, you couldn't use any quotes - and notice the text, the "level07-password-holder" uses quotes in his password (punk). 

This site: http://jdstiles.com/java/cct.html made all the difference in getting past the first barrier. It helps you encode your CSRF code so that it bypasses the quote restriction - of course, since the password you're trying to get has quotes in it, so the easy way I got past that was just string substitute the ' and " into something like 5 and 6 - poof, password achieved. 

 

Add comment


Security code
Refresh