Tags: web 


# Web1, Web, 100pts

## Problem

Chris Martin wants to go home. Can you help him get there as soon as possible?

## Solution

We get simple page with login form.

When I've tried to login, message about some strange error occured:

Also, in the HTML source, there was Base64 string hidden at the bottom of the page:


Time to collect all the crumbs together:

- Chris Martin (from challenge description) is co-founder and a lead of Coldplay band
- we have to help him to get home
- there is (probably) a table in database where hostname and IP are logged

First, I've tried classic SQL Injection in login form. It did not work and nothing really changed. So I decided to focus on words from error message - __host__ and __IP__.

Chris wanted to go home.

And as we know...

(source: https://images5.alphacoders.com/426/426359.png)


When I've added __X-Forwarder-For__ HTTP request header with value, an error message did not appear. It was a good sign.

POST /web100/ HTTP/1.1
Content-Length: 27
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Stack
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close

But still username and password was left to find.

Decoded Base64 string contains MD5 hash: 2b4b037fd1f30375e5cd871448b5b95c. When I've tried to look for it in Google hoping it is already cracked password, the only thing I found was this:


All results were just links to XML with list of songs. However, those links also contained reference to 'Coldplay - Paradise' album name. It just could not be accident.

Indeed, __coldplay__ as username and __paradise__ as password allows to get the flag and send Chris home:


Original writeup (https://github.com/bl4de/ctf/blob/master/2017/nullcon_HackIM_2017/Web1.md).