Hack This Site - Basic Missions 1-11

May 21, 2014

A few days ago, I registered at hackthissite.org believing that I could accomplish anything the developers threw at me. I was wrong, of course. The basic missions are, well, basic. The realistic missions are a little more--how should I say--realistic. ;) Lucky enough for me, I have a very experienced and knowledgeable friend that has helped me learn most of what I didn't already know.  And that is my goal here. To give a push in the right direction for anyone who wants to learn.

Also, I'd recommend getting Firefox or Chrome for the add-ons/extensions. My personal favorite is Firefox, but either of them will do.

The basic missions on hackthissite.org are relatively simple for any one experienced in information technology. However, everyone has to start somewhere. So it's just as important to explain, in depth, these basic missions and methods. It is for a foundation.



Hack This Site Basic Mission 1 (The Idiot Test): Source Code - A Comment




I've done enough of these missions from various sites before and know that they almost always start with a basic source code solution. Also, notice the hint below the submit button, "you must learn HTML." You don't really need to know every bit of HTML code syntax. But if you know enough, it reads just like a book. 

If I was just beginning, I would learn some scripting language. Most people starting out believe that they need extensive knowledge in the language. However, the most important part of learning a new language is understanding how it functions not the what they do. For example, you may not understand:

<script>
function myFunction() {
    document.getElementById("myPar").innerHTML = "Hello World.";
    document.getElementById("myDiv").innerHTML = "You're so big!";
}
</script
>


but you can understand that data is being passed and manipulated via document.getElementById and being again manipulated by the function innerHTML. After learning this, you can just look up any built in function you don't know. Most functions you may want to code yourself are already written. It's pretty easy.

Also it is important to understand opening up the source code or developer console is always the first step for finding a vulnerability.

Let's take a peak at the source code by right clicking anywhere on the page and selecting "View Page Source."


When it first opens, it may look like a mess, but you need not worry! The bulk of what you want to find--what you should be focusing on--is the form's code! If you squint and look closely, there is a comment which just gives you the answer right above the form source. How easy!

Pop the password in the field, and feel good about yourself. This hacking stuff is EZ.

Hack This Site Basic Mission 2: Source Code - No File, No Password


In the second mission, we're given a blurb about how some poor fellow whose actual name is Network Security Sam thinks he is a 1337 hacker by creating a script which grabs a password from a text file elsewhere on his server.


It seems the Network Security Sam is a space-case, he forgot to upload the file with the password. If there isn't a text file, there isn't a password. Just hit Enter. Another brain teaser from hackthissite.



Hack This Site Basic Mission 3: Source Code - Password.php


Sam must have noticed his missing file and has uploaded it. However, there are other issues...



The first step for these exercises should always be to look at the source code! So right click and view source and scroll down to find:


Pay close attention to where you information is submitted. Looks like it's going to the password.php file. Let's check it out. Hey look, it's the password! On to the next...



Hack This Site Basic Mission 4: Send Yourself an Email.



Sam now has the password locked away within a script. Too bad he has a terribly memory. Again, let's check the source code. Find the code for the form, which is always a good place to start, because we get to send our own information to the server... The form's code looks like:



 Hmm. Here the form has it sent to Sam's email address in the code. Well what if we put our own email address there? Would it send it to us? Well, yes, yes it would. If you're running Firefox or chrome open up the developer console by pressing the keys SHIFT+CTRL+K. It allows you to edit the html of the webpage in real time. Scroll down and find the source for the form again. Double click his email address and make it your own and hit the "send password to Sam." This will then send you the password, theoretically. However, you must actually enter your hackthissite account email.



Pat yourself on the back, you're on your way to become a 1337 h@x0r.


Hack This Site Basic Mission 5: Same as above?


From now on, we'll frequent the developer console instead of looking at the source directly. Frankly, the dev console organizes it so well you don't need to have an entire page of code open all at once. Anyway let's look at the level screen:


Here it says Sam, still reluctant to use his brain, decides to keep his program that emails his password to him. Apparently, he believes it's more secure. Let's find out. Open up the developer console and look at it. Damn. I honestly don't see anything different. Again, just put in your email, and hit send.



Hack This Site Basic Mission 6: Decryption



Here Sam has encrypted his password. Lucky for us, we have his encrypted password and the encryption method he uses. Let's see what the encryption does when we put "abcd" into it. The output is:

The first character does not change, ever, so we can assume that the first character in his encrypted password is, in fact, "f." The second letter, b has turned into c, then c to e, and lastly d to g. Looks to me like Sam's encryption is just changing the index on a list of characters by adding first, 1, then 2, then 3, and etc.



If you look at Sam's password, however, it has a colon and an equal sign. So let's look up what order the ascii characters go within memory: 
Credit goes to asciitables.com

The second character in his password is the colon. That means the index of the colon - 1 will be the index  of the second decrypted character. From looking at our table, it is a 9. So far Sam's password is f9. Easy.
The next character is at the index of "f" -2. Look 2 places above the "f" and you have your next letter, "d." Now, the index of "9" - 3, which is 6. Finish decrypting and move on to Mission 7!


Hack This Site Basic Mission 7: Running Unix Commands On Server





This mission is when the real vulnerabilities begin to show themselves. Here Sam has obscured his password and put it a file in the same directory. He also is a unix/linux noob who has just discovered how to run the command cal.pl (a classic example in computer security.) Lucky for us, this will be our in.

Check the source as common practice, but nothing can be found to help you with the password. So turn your attention to the cal.pl. When Sam calls cal.pl from his website he is actually calling a unix command in which the server will run. In unix, you can chain commands together with the && operator. His form makes it possible to run cal.pl && ls (ls being the unix command to show directory files.) Just type && ls in the form and you get this:


And it spits out the directory listing. Hey looky here, this k1kh31b1n55h.php looks mighty peculiar. Open it up to find the password.



Hack This Site Basic Mission 8: SSI (Server Side Include)



Let's take a look:
At first glance we know a)the password is unencrypted, b)the file is stored in the directory /8/ (same as our form) and c) Sam's daughter is ruining his security. You can look at the source or just check to see what Sam's daughter's script is doing. Let's just test it for now.


Here Stephanie's script runs in the directory /8/ and then posts the shtml file to a tmp directory. Shtml is usually a good sign that there is an SSI exploit because shtml is dynamic. This let's you run your code on their server. Let's test it out:




Looks like it's vulnerable. If it wasn't, the file would return  <!--!. This Server Side Include allows us to run our own code on their servers before her script runs, allowing us to change the output. Just like the last mission, we need to run the ls command to list possible directories and files. So let's see what it spits out:




What do you know--it's displays each shtml file that has been created within the directory /tmp/. The password file is in a different directory, however, so we need to use a technique called Directory Traversal. In linux and unix there is a command to go back to the parent directory--"../" We will use this command in our SSI to navigate back from /tmp/ into /8/. We still need to list the files in the parent directory so we use "ls ../"


Open up the inconspicuous php file and there is your password!


Hack This Site Basic Mission 9: More Directory Traversal


Sam seems to think having an unencrypted password in a text file on server is a GOOD idea. Well he's wrong, of course. Especially when we know somewhere else on the site that we can use SSI... Anyway, he's listed it the /9/ directory.

If you test the password input for SSI you get nothing in return. So think back. How can we get to directory /9/ is not from that password input? Well everything is connect on a server. So if you can traverse from /tmp/ to /8/ from the other mission, you could possibly traverse from /tmp to /9/. Let's go back to mission 8 and see what we can do.



Here I try the ls cmd and traverse back from the /tmp/ directory to the /basic/ directory and then back up to /9/. It then posts the password file for mission 9 in /8/tmp/. You're done!



 Hack This Site Basic Mission 10: Cookie, Cookie!


There is a good lesson in this mission that is very important to learn. Let's first take a look at the submit page:
 Wow, not very much information. However, if you go to the /basic/ page, there is a hint that you need to use javascript. There are a few ways to do this, but the easiest, in my opinion, is through the developer console. So open 'er up (CTRL+SHIFT+K).


 When you open the dev console you'll probably end up in the inspector tab, where it shows the source. Let's go over to the Console. The console let's us inject our own scripts into the page. Here I've looked at the cookie we've been assigned on index.php.


Pay no mind to level10.authorized=yes. It wasn't on purpose. But when you type in document.cookie it will show you the contents of the cookie that has been assigned to your PHPSESSID (your identifier). The level10_authorized=no seems obvious. Type in:
This will set the authorized object to yes and give us authorization to get into the next page! Just click submit and you're done.

Hack This Site Basic Mission 11: Elton John



So there is one big, important clue here. "Unfortunately he does not understand Apache." Let's click the link and see what we get:



Each time I click the Basic 11 link it send me to an nearly empty page. The first thing I did was look at the source. There was nothing there except the comment that they have their own directory of music...



So let's try traversing the directory upwards. I tried /eltonjohn/, /ej/, elton/, and finally arrived on /e/.
We find that the /e/ directory exists and we have a directory listing which goes to:

The directory ends. When a directory is hidden, it's hidden within the file .htaccess in the directory which it is trying to hide. Let's try:


Woo! So .htaccess is telling us that the directory DaAnswer is hidden within the /n/ directory. So let's traverse to /DaAnswer/ and we get:
"The answer is easy! Just look a little harder," it says. So let's check the index.php, a common file that calls the functions for most other pages (much like a main() function in programming)Let's check from the main page for mission 11, directory /11/. It brings us:


What do you think the password is?

That's it, you did it! The next step is the realistic missions, where we will continue progressing our 1337 sk1||z.


-Ian


You Might Also Like

0 comments

Popular Posts

Like us on Facebook

Flickr Images