Last few days were very hectic for me because I was preparing the website for hacking contest to be organized in my college. The website that I have built could be one of the best examples of my programming skill. Before building it I listed all kinds of the scenario that may happen during the contest, so in taking care of everything I have built this web application in ASP.net. Website had total 10 levels of increasing complexity. Here in this article i have discussed those 10 levels.
At level zero it was nothing to do. Here I put the password of the level in comment of the html source of the page. So anybody who will go to see the html source can pass this level.
Level-1 was very similar to level-0 the only difference was that instead of the keeping the password in source of html I gave the link of the password. i.e I kept the password in pass.txt in the current directory and written this information in comment of the html source.
level-2 was also a very easy level in which u need to edit the query string of the URL to advance in the next round. The level URL was like this.
you need to make it like this to advance
level 3 was about the encryption that uses substitution cipher technique. most of the people can easily go through this level.
it was about the buffer overflow. u must overflow the buffer length to get error message. This will show u the password.
Level 5 uses the XOR based encryption.
let P is your plain text
and C is your cipher(encrypted text)
and K is your key.
C=K XOR P
which can be also written as
K= C XOR P (read xor technique)
here you can get key from using cipher and plaintext
This level was about breaking the secret function based authentication technique. Probably you can know about this level by reading about the reflection attack.
this level was based on the XSS (cross site scripting) concept. I have put some information in one of the cookie so that hacker can use that information to pass this level.
the level 8 was based on the concept of SQL injection.
you have to break my code which was like this
String str= "select count(*) from user where username='"+text1.text+"' and password='"+text2.text+"'";
//wrong username or password
check what will happen if i will inter the following string in text1.text
' or 1==1 ---
this level was about the directory traversal attack.
ASP page shows the text from file intsruction.txt
using URL like
using this u can see some critical file using URLs like
level 9 was the last level of the contest