OSIRIS Lab at NYU Tandon

OWASP VicNum Project

Apr 8, 2011
- prole
2 minute read

Vicnum is a training game put out by OWASP. If you play the game the first page will ask you for your name. Enter anything then hit continue. I typed ‘Name’. You should be at this URL now:

http://vicnum.ciphertechs.com/cgi-bin/jotto1.pl

Enter your five character guess and then click on the GUESS button.

This would be a good time to fire up burp.

java -jar -Xmx512m /path/to/burpsuite/burpsuite_v1.3.03.jar

Turn on intercept and type in a guess. I typed “guess”. This is what burp catches:

userguess=guess&player=Name&guess=svryq&oldguess=

There are 4 variables that the webapp passes between client and server.

userguess  (our input, "guess")
player  (me, "Name")
guess  (some weird value "svryq")
oldguess (empty).

At this point you probably want to download the source, since it is available. I cannot stress enough that when source is available the first thing to do is download it and examine it.

Black boxing should be done as a last resort!

Taking a look at jotto1.pl we see the following code:

my $guess = "" ; 
my $oldguess = "" ; 
my $randnum = 0 ;
open (fhi,"<xotto")  ;
@array = <fhi> ;
close fhi ;
$randnum = int(rand(@array)) ;
$guess = $array[$randnum] ;
$guess =~ tr/A-Za-z/N-ZA-Mn-za-m/;

Lines 1-3 are just declaring the variables we are going to use, which are guess, oldguess, and randnum. Lines 4-6 open a file named xotto and get put it into an array. Lines 7-8 grabs a random index into this array and assigns it to the variable $guess.
Line 9 is the key, if you know what it does, that’s great but even if you don’t you can explore this by just making your own perl program (test.pl):

$guess = "abcde";
$guess =~ tr/A-Za-z/N-ZA-Mn-za-m/;  #from jotto1.pl
print $guess
$ perl test.pl 
nopqr

We can surmise that that line just performs a ROT13 on the initial $guess. Going back to the burp output we see a variable named guess=svryq. If we ROT13 svryq (by simply modifying Line 1 in test.pl to $guess=”svryq”) the result is ‘field’, which is the answer.

But that is not even necessary, since the state of the game is held in the browser, one can change $guess itself. For example, set $guess=nnnnn and $userguess=aaaaa .

The second part of the challenge is to get your name on the scoreboard. This is pretty trivial as after you win you can edit the string in burp so that your player name has owasp as the prefix (this is required by the game) and that the cnt = 0.

player=owasp_isis&cnt=0&guess=nnnnn