What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-09-23

Hack This Site! - Extbasic 10

Description:

Windows shell? ZOMG!

Level 10

The following is a batch script authentication system. Your goal here is to get the batch script to authenticate you by inputting a password into the field. For this extbasic, your goal is to circumvent authentication altogether. Decrypting the password is for extbasic11.

@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SET PRIME=2  3  5  7  11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101
SET CHARS=a  b  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v  w  x  y  z
SET PASSWORDVALUE=1
SET INPUT=
SET /P INPUT=Insert password:
IF "%INPUT%"=="" "%~0"
ECHO Authenticating...
:OVERLOOP
SET CURRENTPOSITION=0
:SUBLOOP
IF /I "!INPUT:~%CHARACTERPOSITION%,1!"=="!CHARS:~%CURRENTPOSITION%,1!" SET /A PASSWORDVALUE*=!PRIME:~%CURRENTPOSITION%,3!
SET /A CURRENTPOSITION+=3
IF NOT %CURRENTPOSITION%==78 GOTO :SUBLOOP
SET /A CHARACTERPOSITION+=1
IF NOT "!INPUT:~%CHARACTERPOSITION%,1!"=="" GOTO :OVERLOOP
:END
ENDLOCAL&IF NOT %PASSWORDVALUE%==1065435274 GOTO :ACCESSDENIED
ECHO You have been authenticated. Welcome aboard!
GOTO :SILENTPAUSE
:ACCESSDENIED
ECHO Access denied!
:SILENTPAUSE
PAUSE > NUL
 
 ___________________
|___________________|check

Solution:
  1. This challenge wanna you to circumvent authentication of the script, which means you need to bypass the validation process.
  2. Check the code below, the first thing you have to do is making the code jump to END label directly, and the second thing is setting the variable PASSWORDVALUE equal to 1065435274.
    :END
    ENDLOCAL&IF NOT %PASSWORDVALUE%==1065435274 GOTO :ACCESSDENIED
  3. Then you will get authentication successfully.
    ECHO You have been authenticated. Welcome aboard!
  4. Let's check another part of the script, which is the process to address user input.
    SET INPUT=
    SET /P INPUT=Insert password:
    IF "%INPUT%"=="" "%~0"
  5. The IF statement will check empty user input and loop again until user input something. The most important thing you need to focus is the comparison statement use double quotes.
  6. So, you can inject your code by making the variable INPUT equals to "=="" blah-blah , then the IF statement will be like below.
    IF ""=="" blah-blah "=="" "%~0"
  7. Let's accomplish our goal now. Input the injection code below and check.
    "=="" SET PASSWORDVALUE=1065435274 && GOTO :END_
    (the underline symbol at the end of the injection means a white space)
  8. It's done.