MiniCTF: Security Challenge I

May 22, 2014

MiniCTF Security Challenge I: We Love Apache

 I switched over from HTS (Hack This Site) to MiniCTF because I cannot access the website right now... In my opinion you can learn much more from MiniCTF than HTS, anyway. I hate going out of order, but for now I'm going to go over the MCTF challenges and come back to HTS later.

First, we're greeted with this page:




There isn't much to look at, but explore the page anyway. Click the Home link to see this:




This means that we can traverse to another directory via the "index.php?page=???" by putting the directory we want in place of the "???" We probably want to traverse to the directory where the admin is...

Check the source to see where the admin link goes to:






This is indicative of an Apache server. Apache servers use .htaccess and .htpasswd to tell the server who is allowed to see a directory (htaccess) and the username:password for it (.htpasswd). It's important to note here that .htaccess is usually hidden in the folder it's protecting, so let's try some traversal:

http://damo.clanteam.com/sch1/index.php?page=admin/.htaccess



Also equally important to remember is to ALWAYS look at error messages.

They are a good sign. The most important part for us to see in is this error is this: "Failed opening 'admin/.htaccess.php' We don't want to go to .htaccess.php, we just want .htaccess. To end reading our include, we need to put a NULL byte () at the end of our url, like this:




Which sends us here:





Awesome! This tells us where .htpasswd is located, hiddenfoldersch1/.htpasswd. When we call our include, it is from the directory of /sch1/ so when we make our new include, we must make it go back a directory and then up to /hiddenfoldersch1/. Like this: index.php?page=../hiddenfoldersch1/.htpasswd

This brings us here:


There it is! The username and hash. We're not quite done yet because we have to crack the hash. Look at the first third of the hash, it will tell us which encryption it uses. $apr1 is MD5. The second $...$ indicates the salt (the amount of 'randomness'). I first went to Crack Station to try to crack the hash, but apparently they don't crack salted hashes. For an alternative, I used hashcat. In my experience it is the best hash cracker out there, but you can also you john the ripper and probably MDCrack. Also use the famous rockyou.txt dictionary file.

This is my output:




The type of hash is MD5 Apache, which can be found by looking up what syntax the hash has, and in this case: $hash$salt$password.

Our output goes to crackedhash.txt and gives us:




Go back to the main page and log in! You're done!




You Might Also Like

0 comments

Popular Posts

Like us on Facebook

Flickr Images