White Hat Institute

“Defend the Web” write-up (24 bit)

“Defend the Web” write-up (24 bit —file extension manipulation exploit 

In this particular example, we are required to extract the login details from the file that is available for us to download.

Let’s start the challenge by downloading the file and try to analyze it.

Defend the Web - 24 bit-1

Double-click on the file and see what’s inside.

Defend the Web - 24 bit-2

Based on the screenshot, it looks like it is some sort of a binary file. There are three sorts of binary files, image, sound, or text. Let’s use one of these methods to read the file. Right-click on the file and open it up with any image editor software. You can also change the extension of the file to “.jpg” and run the file.

Defend the Web - 24 bit-3

Here you go, the username and password are in plain text. Copy and paste them into the login screen to pass the challenge.

In this example, developers used a very weak steganography methodology to hide the text inside the image file. If in any case, you are planning to use this method, we suggest you use a stronger method with at least double or triple encryption techniques implemented.