This folder contains solutions for the Trythis0ne wargame from trythis0ne.
in this level we need to change the HTTP-header, to fake our web browser.
wget http://trythis0ne.com/levels/web-challanges/1337B/pwd.php --header="User-Agent: 1337Browser_V3.1"
i run this command in wsl, and then open the file pwd.php to see the output:
GoodWork! the password is lizirulezzz :)
Flag: lizirulezzz
i downloaded the image, and played with the contrast and brightness.
so, we can see that the name: Pwd.zip and pass T20.
when we download the zip file, and extract it, we get the exe file Pwd.exe.
Flag: enter flag here
I downloaded the image and run strings filename.bmp in the command line.
i found in the end of the file this string:
53773333742D3569787433336E2100
which looks like hex string… let’s convert it from hex: Sw33t-5ixt33n!
Flag: Sw33t-5ixt33n!
in this challenge you can run the function doit() that will rewrite the page, using decrypting some big array. i find in comment this array:
1013478509,1816005180,1651467385,543319907,1869377394,1025668968,1769235746,1040861039,1868832855,1869769504,745038198,1696627055,1965057398,1701978216,1700885092,543324448,1013071399,1333159282,1818327335,1009738302,541015138,1916668500,1920540788,1864394345,1852055667,1869440372,1751740007,543780384,1936682341,2003330418,1696607790,774778378,171733054,171729522,1044144754,1044144754,1044144754,1044144754,1044144754,1040858211,1868850494,1013346158,1948279663,1819243069,577204833,2032287242,1013146990,1952805438,774332506,1697925492,1613180476,1651654189,1027226144,2050255667,1916823663,1953325417,1814979439,1830828602,1026374703,1667591796,1701985802,1013084734,1013084734,1013084734,1013084734,1013084734,171730543,1853104227,1869377394,1025668968,1769235746,1040855344,825504310,842085170,741423153,943011636,875837484,842018867,808792118,808528945,959656754,808596787,908865846,859059762,909326133,741421874,959985457,959527212,825832755,808859697,875572273,909719605,909391414,942410289,909455668,909587256,892089652,809055030,926364972,825767481,892809521,808725553,926430518,942945585,841758005,926298165,876163116,825242672,943012151,909454385,959723824,925970992,942420278,859123760,808727088,738865464,909654321,959789108,741423413,842611000,909654060,842018867,926495284,942943285,859386933,909521207,741423413,858928688,942881068,892613683,909588792,824979767,808531510,926167609,741423409,876032569,926495020,170997553,925971000,825437239,909194037,942749495,741422902,943206964,943271980,825636917,808596530,959786033,959723570,942683704,925643064,909717556,943272755,741684276,876165432,825437237,875836985,942813750,738865462,926496818,943207730,741422902,959591223,909129004,909456948,942814004,959199029,959460400,892613642,168430112
so i tried to decode it and run the decode func.
myar = new Array(013478509,1816005180,1651467385,543319907,1869377394,1025668968,1769235746,1040861039,1868832855,1869769504,745038198,1696627055,1965057398,1701978216,1700885092,543324448,1013071399,1333159282,1818327335,1009738302,541015138,1916668500,1920540788,1864394345,1852055667,1869440372,1751740007,543780384,1936682341,2003330418,1696607790,774778378,171733054,171729522,1044144754,1044144754,1044144754,1044144754,1044144754,1040858211,1868850494,1013346158,1948279663,1819243069,577204833,2032287242,1013146990,1952805438,774332506,1697925492,1613180476,1651654189,1027226144,2050255667,1916823663,1953325417,1814979439,1830828602,1026374703,1667591796,1701985802,1013084734,1013084734,1013084734,1013084734,1013084734,171730543,1853104227,1869377394,1025668968,1769235746,1040855344,825504310,842085170,741423153,943011636,875837484,842018867,808792118,808528945,959656754,808596787,908865846,859059762,909326133,741421874,959985457,959527212,825832755,808859697,875572273,909719605,909391414,942410289,909455668,909587256,892089652,809055030,926364972,825767481,892809521,808725553,926430518,942945585,841758005,926298165,876163116,825242672,943012151,909454385,959723824,925970992,942420278,859123760,808727088,738865464,909654321,959789108,741423413,842611000,909654060,842018867,926495284,942943285,859386933,909521207,741423413,858928688,942881068,892613683,909588792,824979767,808531510,926167609,741423409,876032569,926495020,170997553,925971000,825437239,909194037,942749495,741422902,943206964,943271980,825636917,808596530,959786033,959723570,942683704,925643064,909717556,943272755,741684276,876165432,825437237,875836985,942813750,738865462,926496818,943207730,741422902,959591223,909129004,909456948,942814004,959199029,959460400,892613642,168430112)
and then execute the follow command: decode(myar), the script rewrite the document and we get this message
Good Work ,have you ever heard by 'Overlay' ?
Try to find something in somewhere .....
however, we haven’t finished yet… we can find this string in the source code and do the same thing again:
1014262132,1818574448,2003050601,1933202536,1634626375,1329871919,1953068140,1698564668, 1651467385,540936775,1869571104,1785684512,557605490,1040859765,1949071208,1635000420, 1868919584,1952998688,2003792484,539456617,1953260839,544367981,1701667429,1914729791, 171712813,761358177,1768824890,1685024295,1948280687,1869048933,544499813,544698226, 1679828852,1769237605,656482349,759040544
and then, we can see this:
i changed the color of the page to green…
we can see it told us to look on the title, OK
THANK GOD!
Flag: ThankGOD
in this level i need in the HTTP post request to send also admin=1, so, let’s use wget in wsl
wget --post-data="user=admin&pass=bla&admin=1&submit=send" http://trythis0ne.com/levels/levels/web-challanges/OSLogin/index.php -O OSLogin.php
and then cat OSLogin.php, the password is in the file
Flag: WeLoveCola
this is the message we get:
Gsv kzhhdliw gszg blf mvvw rh gsv mznv gszg
yvolmth gl gsv nzm gszg hzbh gsv mvcg hvmgvmxv:
"Givzg blfi kzhhdliw orpv blfi gllgsyifhs.
Wlm'g ovg zmbylwb vohv fhv rg, zmw tvg z mvd
lmv vevib hrc nlmgsh."
so, i use this website to decrypt this substitution encrypted cipher. https://planetcalc.com/8047/
then, we got this:
THE WASSFORD THAT YOU NEED IS THE NAME THAT
BELONGS TO THE MAN THAT SAYS THE NEXT SENTENCE:
"TREAT YOUR WASSFORD LIKE YOUR TOOTHBRUSH.
DON'T LET ANYBODY ELSE USE IT, AND GET A NEF
ONE EVERY SIX MONTHS."
which tells us that the password is the name of someone…
Flag: Clifford Stoll
i analyzed char by char, until i got this number: 125446965
Good work! the password to this level is:
KillThelamers!
Flag: KillThelamers
in this level i simply changed my referrer header.
wget -O Pwd.php http://trythis0ne.com/levels/web-challanges/ttp/Pwd.php --header="Referer: http://trythis0ne.com/levels/web-challanges/ttp/TARGET.PHP" && cat Pwd.php
that’s what i get: GoodWork! the password is Cyabr0 :)
Flag: Cyabr0
in this challenge, i saw the js in the frontend and run it from the console in order to find the user and the pass. you can find the code here: [WithStyle.js]
var pass = new Array("0x55","0x52","0x54","0x48","0x45","0x4D","0x41","0x4E");
var user="",Pass="";
user += key.charAt(0);
user += key.charAt(5);
user += key.charAt(3);
user += key.charAt(4);
user += key.charAt(7);
user += key.charAt(1);
user += key.charAt(2);
user += key.charAt(6);
for(i=0;i<pass.length;i++)
{
pass[i] = parseInt(pass[i]);
pass[i] = String.fromCharCode(pass[i]);
}
pass = pass.join("");
var pass = new Array("0x55","0x52","0x54","0x48","0x45","0x4D","0x41","0x4E");
var user="",Pass="";
user += key.charAt(0);
user += key.charAt(5);
user += key.charAt(3);
user += key.charAt(4);
user += key.charAt(7);
user += key.charAt(1);
user += key.charAt(2);
user += key.charAt(6);
for(i=0;i<pass.length;i++)
{
pass[i] = parseInt(pass[i]);
pass[i] = String.fromCharCode(pass[i]);
}
pass = pass.join("");
console.log("username is: " + user)
console.log("password is: " + pass)
then, the user is 1r73se3u and pass is URTHEMAN
Flag: 7EA7 MAN'1 HAN7