Defendtheweb : Realistic Level 1–4 CTFs Challenges.

1. World of Peacecraft / Realistic

I began by logging into the target’s email account using the provided email address.

I navigated to the inbox to check for relevant emails. I identified an email titled “World of Peacecraft — Activate Account” and opened it
I saw a message directing the user to a specific website in order to activate their account so I kept a record of the given URL since I figured I’ll be needing it later to activate the account.
I Navigated to the trash folder within the email account. I Looked for any discarded emails that may contain valuable information. I was able to identify an email titled “uStudio — Password Request” and I opened it.

Revealing the Password: Inside the “uStudio — Password Request” email, there was a message indicating that the password has been requested.

Ensure to delete this email from the trash folder to minimize traces of the compromise.
I returned to the “World of Peacecraft — Activate Account” email. I clicked on the provided link, which took me to a page prompting for the password.

I entered the password obtained from the “uStudio — Password Request” email.

2. Library Gateway / Realistic

I accessed the provided link, I was presented with the Library Gateway page. so yeaah, I figured i had to log in.

In order for me to continue, I must enter the necessary information in the part that asked for my login and password. I decided to view the Web source code.

During the search, I came across a line of code : “URL= “members/” + username + “ “ + password + “.htm”;. This code indicates that the login credentials might be used to form a URL that leads to a specific page.
I modified the URL, “https://defendtheweb.net/extras/playground/real/2/members” It opened a new page associated with the provided login credentials.

I discovered that the correct login credentials are “librarian” as the username and “sweetlittlebooks” as the password.

3. Princess slag / Realistic

I clicked on the “Princess slag” button and i was taken to a new page with a link saying “here it is.”

So yh, I clicked on the “here it is” link, I was directed to a login page. Since I don’t have any credentials yet, I had to explore alternative avenues to access the desired information. I decided to go back to the previous page to examine it more closely.

I viewed the source code, I noticed a line mentioning a contact email: “Mail: princess@kingdom.far.away”. I decide to give it a try and use this email as the login credential, but unfortunately, it didn’t grant me access.

I kept searching for possible hints or vulnerabilities, I also tried modifying the URL in various ways to see if it leads me to new information.
I decided to modify the URL by replacing a part of it. I tried changing the URL to “https://defendtheweb.net/extras/playground/princess-slag/?p=%00".

I saw this. I continued making some research then I found something. “Null byte injection”

I Injected the null byte character into the URL. Just like this “https://defendtheweb.net/extras/playground/princess-slag/?p=../admin.php%00`" to see if it works. Then I inspected the page source then i saw this. I guess that’s the password. Yeah, i was right.

4. Xmas ’08 / Realistic

I accessed the website, I encountered three main sections: “About Santa”, “Write to Santa”, and “Top Letters”. These sections provide crucial information and functionalities for our investigation

I started analysing the 3 sections hoping to find something. The “Top Letters” section, There were three names are displayed along with view URLs. I clicked on one of the URLs and It opens a new page containing some credentials.

I Navigated to the “Alternative homepage” I clicked on it, I was presented with a simple note or message.

By examining the URLs associated with form submissions, i discovered a URL like “https://defendtheweb.net/extras/playground/xmas08/mod.php?submit". I was Intrigued, I manipulated the URL by removing the “submit” part, resulting in “https://defendtheweb.net/extras/playground/xmas08/mod.php"

I encountered a login prompt that requires a username and password. Here, I employed a technique called SQL injection (SQLi) to bypass authentication. By inputting ‘Or’ ‘1’=’1' in both the username and password fields, i tricked the system into granting me unauthorized access.

To alter the homepage, I selected “Open file” and provided the file name as “index.php”. This opens the file in an editor where we can manipulate its content.
To achieve the objective of replacing the original homepage, I deleted the existing code within the editor. Next, I copied the source code from the ‘Alternative Homepage’ provided in the CTF challenge and paste it into the editor. Finally, I saved the changes.

I have successfully completed the CTF challenge. The scam website that falsely claims to make children’s dreams come true is exposed.!!!!

Thank you so much for reading my writeup!

Don’t forget to share, follow and leave a comment.