Posted in Hackthissite.org

HTS-Realistic Mission 5

Damn Telemarketers! – Realistic Mission 5

The Mission

blurbRM5

Essentially you need to gain access to their site to delete numbers, however, gaining access is good enough.

https://www.hackthissite.org/missions/realistic/5/

Pretty basic frame based HTML website.

websiteRM5

Clicking the ‘Database’ link on the left takes you to a page showing this.

enterpwRM5

SQLi doesn’t work on this site. No point in trying. In the news link, there is a snippet of information that can lead you somewhere.

newsRM5

Google was grabbing links it shouldn’t be so I have taken extra precautions.

Google grabbing means spider, and spider means robots.txt. Bingo!! we visit https://www.hackthissite.org/missions/realistic/5/robots.txt and find this gem.

User-agent: *
Disallow: /lib
Disallow: /secret

So lets go to https://www.hackthissite.org/missions/realistic/5/secret

We find

parentdirRM5

Click on admin.bak.php and we find this ” error matching hash 178c1a98917003476f1a7f3a182c01b0″

After some investigation it’s an MD4 hash. So lets go to CAIN for some cracking.

cainRM5

Hashes cracked!! The password is ‘5b1da’

Enter this and you will have completed the mission.

Posted in Hackthissite.org

HTS-Realistic Mission 4

Fischer’s Animal Products – Realistic Mission 4

The Mission

blurbRM4

Someone has asked you to retrieve the email addresses from the mailing list.

https://www.hackthissite.org/playlevel/4/

This is what you are faced with when opening the link in the mission blurb

websiteRM4

Nothing special here. No point in playing around with the mailing list. Clicking on any other link will have the same outcome, however, for this exercise, we’ll click on ‘Fur Coats!’

furcoatsRM4

I’m sure the coats are nice and warm, so lets check out the link.

https://www.hackthissite.org/missions/realistic/4/products.php?category=1

Originally I wasted a lot of time on this challenge. A UNION SELECT statement is needed to pull the email addresses you need as they are stored in another database from the current products. By adding the statement to the end of the URL you will find what you are looking for.

https://www.hackthissite.org/missions/realistic/4/products.php?category=1 UNION ALL SELECT NULL, *, NULL, NULL FROM email

I tried several versions of this statement and didn’t get anywhere. I spent a long time on this one. You should see this screen when you successfully enter the above statement.

SQLiRM4

Copy the emails into a txt file and use the HTS private message function to send the list to ‘SaveTheWhales’ Only after you do this part, will you complete the challenge.

 

Posted in Hackthissite.org

HTS-Realistic Mission 3

Peace Poetry – Realistic Mission 3

Mission brief

blurbRM3

Someone has defaced the site of a little girls poetry page. You have been asked to return it to it’s original state.

https://www.hackthissite.org/missions/realistic/3/

websiteRM3

Some pretty wild edits for a little girls web page so lets see what we can find. ‘View Source’ doesn’t reveal anything, however, opening ‘Inspect Element’ in Chrome reveals this snippet of information.

code_textRM3

Looks like we have a hacker with a conscience. Excellent. Now we have the old HTML file, which reveals the original site at

https://www.hackthissite.org/missions/realistic/3/oldindex.html

Peace_siteRM3

Two links. Read the Poetry and Submit Poetry. Visiting ‘Submit Poetry’ allows us to do just that. Natural real world testing gives us a hint for how this site was hacked, and how we can fix it.

From the code on the ‘Submit Poetry’ page we can see this

Use this form to submit a poem to the website. You do not have to be the author, but if you use someone else’s poetry, please give credit where credit is due. Thanks!

Note: Poems will be stored online immediately but will not be listed on the main poetry page until it has a chance to be looked at.

After digging around and testing a few things out. I realised that when submitting a new poem it was written to a page. Clue being in the above code snippet comments.

fixedRM3

Copy the HTML code from oldindex.html and paste into the ‘Poem:’ text entry box and enter ‘../index.html’ into the ‘Name of Poem:’ field. Hit ‘add Poem’ and you will be told you have completed the mission.

Why did this work?

By submitting a new poem with the contents of the HTML code of oldindex.html, we can replace the hacked version of index.html by using Directory Traversal. In other words, tell the web server to create a new page with these contents a level above the current directory and call it index.html. This will overwrite the original index.html with the new one we submitted. In essence how they were able to deface the web page in the first instance.

 

 

Posted in Hackthissite.org

HTS-Realistic Mission 2

Chicago American Nazi Party – Realistic Mission 2 

https://www.hackthissite.org/playlevel/2/

On visiting the above like you will see the mission text.

blurbRM2

You need to gain access to their admin page in order to complete the mission. When you visit the link to their website you will see there isn’t a lot going on. Just a page.

websiteRM2

Not for the easily offended, however, with no links to go anywhere it’s not immediately apparent what we can do here. All always “Right click > View Source”

On reviewing the site code you will see this

codeRM2

As you will see, there seems to be a hidden page. Wonderful. Lets go there.

login_promptRM2

A standard login prompt. Testing the account for standard admin logins is useless as you are met with a lovely message I won’t be posting here, however, we don’t always need user credentials. I suspect this could be vulnerable to SQL Injection.

SQLi_RM2

Good old ‘ OR 1=1 — works in this instance. You are redirected to the HTS page where you are told you have completed the mission. What? So I can’t deface the website? Oh well.

 

Why did this work?

Quite often web admins hide snippets of useful data in the comments of HTML code, like web pages not linked to on the site itself. Always view source. Also the simple SQL Injection statement pretty much bypasses any need for user credentials because it’s running a similar SQL statement to this in the background.

SELECT * FROM users WHERE username=’ ‘ and password=’ ‘;

Our ‘ OR 1=1 — addition changes the scope of this statement.

SELECT * FROM users WHERE username=’ ‘ OR 1=1 — ; 

The double dashes at the end of the injected statement comments out the rest of the script, negating the need for a password. It is essentially saying SELECT * FROM the users table where 1=1. Invariably logging you in as the admin account as this is the first entry in an SQL DB.

Posted in Hackthissite.org

HTS-Realistic Mission 1

Uncle Arnold’s Local Band Review – Realistic Mission 1

On opening the link – https://www.hackthissite.org/playlevel/1/

You are met with a task.

blurbRM1

 

Change the outcome of the vote, so that your band can win the bet.

Clicking through to the voting page shows that your band is rock bottom of the voting system. Not good!

voteRM1

So how do we change the votes?
By right clicking the ‘Vote!’ button and selecting ‘Inspect’, you will see this code snippet appear on the bottom of the browser window.

vote_codeRM1

We’re interested in the ‘<option value=”5″>5</option — $0’ part. We could change any other value if we wanted really. Lets chose 5 for the time being.

Change the value in quotes from 5 to a higher number like 9999.

vote_code_changedRM1

Clicking back onto the website will force the code snippet to flash as it accepts the change. Now all you have to do is chose ‘5’ in the vote and submit.

vote_5RM1

You will be redirected to the HTS page to alert you that you have completed the mission.

Why did this work?

You altered client side code values so that when they submitted in POST, to the web server it accepted the value as legitimate values. You would imagine in a real scenario that POST data would be verified in some way or the voting would be dealt with server side. However, in this case it worked.