Hacking Contest

Hi all,
Last few days were very hectic for me because I was preparing the website for hacking contest to be organized in my college. The website that I have built could be one of the best examples of my programming skill. Before building it I listed all kinds of the scenario that may happen during the contest, so in taking care of everything I have built this web application in ASP.net. Website had total 10 levels of increasing complexity. Here in this article i have discussed those 10 levels.

Level-0
At level zero it was nothing to do. Here I put the password of the level in comment of the html source of the page. So anybody who will go to see the html source can pass this level.
Level-1
Level-1 was very similar to level-0 the only difference was that instead of the keeping the password in source of html I gave the link of the password. i.e I kept the password in pass.txt in the current directory and written this information in comment of the html source.
Level-2
level-2 was also a very easy level in which u need to edit the query string of the URL to advance in the next round. The level URL was like this.
http://myhackingsite/level2.aspx?advance=no
you need to make it like this to advance
http://myhackingsite/level2.aspx?advance=yes
Level-3
level 3 was about the encryption that uses substitution cipher technique. most of the people can easily go through this level.
Level-4
it was about the buffer overflow. u must overflow the buffer length to get error message. This will show u the password.
Level-5
Level 5 uses the XOR based encryption.
let P is your plain text
and C is your cipher(encrypted text)
and K is your key.

then
C=K XOR P
which can be also written as
K= C XOR P (read xor technique)
here you can get key from using cipher and plaintext

Level-6
This level was about breaking the secret function based authentication technique. Probably you can know about this level by reading about the reflection attack.
Level-7
this level was based on the XSS (cross site scripting) concept. I have put some information in one of the cookie so that hacker can use that information to pass this level.
Level-8
the level 8 was based on the concept of SQL injection.
means
you have to break my code which was like this

String str= "select count(*) from user where username='"+text1.text+"' and password='"+text2.text+"'";
if(cmd.ExecuteScalar()>0)
{
//Authentic User
}
else
{
//wrong username or password
}
check what will happen if i will inter the following string in text1.text
' or 1==1 ---

Level-9
this level was about the directory traversal attack.
Means
ASP page shows the text from file intsruction.txt
using URL like
http://myhackingsite/level2.aspx?file=intsruction.txt
using this u can see some critical file using URLs like
http://myhackingsite/level2.aspx?file=../../../windows/system32/criticalfile.txt
level 9 was the last level of the contest