News

5 min reading time

Hackme results!

Our contest has ended, thanks to all for participating. There were a lot of you :-)

Gabriel and Bruno have been picked from the raffle and have been contacted. They will receive their SSD Disk shortly!

How you could have hacked the website:

The source code of the pages contains the book Moby Dick. At the end you can see the line: 'That was fun ... If only we could add some layout to the book'.

The line above points at the included CSS stylesheet styles.css. If you reformat the minified CSS, you are able to find a link to the github repository: 'https://github.com/phpro/security-workshop'.

In the github repository you can see that the image is loaded from the database, but there are no database credentials available. So the next step is to find out where the database credentials are stored.

In the commit history, you can find a commit titled 'Removed DB connection from index file.'. The changeset contains the database credentials of the server but you won't be able to connect on the port 9999.

Since you can't connect on port 9999, you'll have to find out which port is opened. This can be done with e.g. the command 'nmap hackme.phpro.be'. This will return port 9998.

At this point you will be able to connect to the database. You won't be able to read the images table but a view imagesColumns is available.

Based on the imagesColumns view you will be able to create an INSERT statement and therefore change the image on the hackme website.

Congratulations!