Hacking

Hacking Skills Challenge - Level 8

So far, we’ve explored the first 7 basic missions at HackThisSite.org. The difficulty of these challenges increases at each level, but this one is not too tough if you look at the clues. Here’s the challenge:

The password is yet again hidden in an unknown file. Sam’s daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser).

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.

Did you catch that key phrase in the description above? It’s “…executed by the server…” and it’s PHP. That’s what tipped me off. We should be able to execute a simple PHP script from the input box, don’t you think? In PHP you can execute commands with a simple structure. Let’s see what happens if we type in the ls command like this:

[<]!–#exec cmd=”ls”–[>] (brackets to allow proper display only–don’t use them)

That give us some output, but not what we’re looking for, I’m afraid:

Your file has been saved. Please click here view the file.

That output is at ../level8.php. If you click the link to view the file, you’ll see this at ../tmp/[random filename].shtml:

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml…[and a lot more].

That’s not what we’re looking for.

Oh, wait. We just did a listing of the current directory, /var/www/hackthissite.org/html/missions/basic/8/tmp/; We want to go up one level to /var/www/hackthissite.org/html/missions/basic/8/. Let’s try that command again so we list the parent directory:

[<]!–#exec cmd=”ls ..”–[>] (again, don’t use the brackets)

Voila! Now we get this as the output when we click the link to view:

Hi, au12ha39vc.php index.php level8.php tmp!

The file au12ha39vc.php looks like the one. Plug it into the browser and you get the password: 40087506.

Mission accomplished!

Hacking Skills Challenge - Level 7

Once again it’s a slow security news week, so time to tackle the next hacking skills challenge level. So far, we’ve explored the first 6 basic missions at HackThisSite.org. The difficulty level is supposed to increase at each level, but this one is only difficult if you don’t know Linux. Here’s the challenge:

The password is hidden in an unknown file, and Sam has set up a script to display a calendar. Requirements: Basic UNIX command knowledge.

This time Network Security Sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command.

This one is so easy you don’t even have to look at the source code. But you do have to know about chaining commands in Unix.

If you enter a year, you’ll get a full 12-month calendar with all weeks beginning on Sunday displayed on the resulting output page. This is default behavior of the cal command. It looks like all the script does is execute the command, taking your input as a parameter.  We can prove this by leaving the field blank; the script returns the current month and year, i.e., default behavior.

The key to cracking this one is the phrase “…obscurely named file saved in this very directory.” We know the permissions are good to run commands on that directory, so let’s just chain the ls — list directory contents — command and see what happens. (You chain commands in Linux using && between them.) Enter the following in the text box: && ls and click the View button. Here’s the output:

       October 2009
Mon Tue Wed Thu Fri Sat Sun
              1   2   3   4
  5   6   7   8   9  10  11
 12  13  14  15  16  17  18
 19  20  21  22  23  24  25
 26  27  28  29  30  31

.
..
level7.php
cal.pl

index.php
k1kh31b1n55h.php
perl5.8.9.core

Looks to me like k1kh31b1n55h.php is our file. Stick it in the URL and open it up. Voila! The password, f866d6b9, is revealed.

Mission accomplished!

Hacking Skills Challenge - Level 6

Well, slow security news week, so let’s tackle the next hacking skills challenge level. So far, we’ve explored the first 5 basic missions at HackThisSite.org. At each new level, the difficulty increases. At level 6, we’re dealing with a bit of cryptography. Don’t worry, you don’t have to be a PhD to figure it out; it’s a pretty simple algorithm. The encryption table is publicly available. Here’s the challenge:

An encryption system has been set up, which uses an unknown algorithm to change the text given. Requirements: Persistence, some general cryptography knowledge.

Network Security Sam has encrypted his password. The encryption system is publically available…

You have recovered his encrypted password. It is: bc8g76g<

Your recovered password will be different, but the algorithm to solve it will be the same.

There’s a form where you can enter a text string and have it encrypted by the algorithm used, so that’s a good place to start to solve the cipher. My first attempt was to enter the encrypted password and see what I got back out of the algorithm. The output was bd:j;;mC. Clearly, this is shifting algorithm of some sort, with the first position, position 0, remaining unchanged. I went ahead and tried the ROT(n) algorithms, even though they don’t usually deal with numbers. No joy there. But a good look at the output might indicate a successive addition pattern: the first postion is 0, so the letter remains the same; the second position, 1, increments to the next letter. Reversing the pattern would yield 0, -1, -2, etc.

The presence of symbols suggests the ASCII symbol set and this is what works out to be the solution. Get an ASCII table. For each character position, count backwards from the letter in the password the number of places corresponding to the position number. So, for b, count back 0, for c, count back 1, for 8, count back 2, etc. This will give you bb6d31a5 which is the original password.

Mission accomplished!

Hacking Skills Challenge - Level 5

So far, we’ve explored the first 4 basic missions at HackThisSite.org. As we get to each new level, the difficulty increases, but they’re still pretty easy.

Today, we solve level 5:

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

If you try the same tactic we used to solve level 4, you’ll get the error message, “Invalid referrer. The requested URL /missions/basic/5/level5.php will not be loaded.” You get this because the script checks the HTTP headers to see where you are viewing the page from. If the url is not /missions/basic/5/ or /missions/basic/5/index.php then it will give an error. Since you’re viewing it from a local file, the script fails.

There are two approaches we can take here: 1. Change the email address in the script using some form of code injection; 2. Use an online monitor/debugger that allows us to edit a page on the fly.

For the first approach, Javascript injection allows us to change the email address using the following code: javascript:alert(document.forms[0].to.value=”put_your@email. here”); Enter that in the address bar, hit Enter, and you’ll be greeted with an alert box show the email address you entered. If you then click the “Send Password to Sam” button, the password will be revealed. Copy the password, paste it into the password field, click Submit and you’re in. Like the last exploit, the page won’t actually send the password to the email address. In fact, you don’t even have to change the email address in the code; it will work as shown.

For the second approach, if you use Firefox, you can install a cool add-on called Firebug. This powerful tool allows you edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. I installed it, went to the challenge page and used the “Inspect Element” feature to see what was behind the “Send Password to Sam” button. Then, within Firebug, I changed the email address. When I clicked the “Send Password to Sam” button, the password was revealed.

Either way, mission accomplished!

(In a future post, I’ll show you how to hack any stored password using a similar javascript approach. And I’ll make sure you adopt a policy to never used a “remember me on this computer” check box on a publicly accessible PC ever again!)

Hacking Skills Challenge - Level 4

So far, we’ve explored the first 3 basic missions at HackThisSite.org. As we get to each new level, the difficulty increases, but they’re still pretty easy. Today, we solve level four:

An email script has been set up, which sends the password to the administrator. Requirements: HTML knowledge, an email address.

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot.

So, what we have to do is hack the page to get the password sent to an email address of our own choosing. The script is invoked by clicking the “Send Password to Sam” button. Once again, we can view the source to see what clues are there. Paths to two scripts stand out:

"/missions/basic/4/level4.php"
"/missions/basic/4/index.php"

Those are both relative paths. We can’t make them absolute and save the source, but we can save the page to the desktop, edit it, then open the local file. This should give us some action. Make sure to change the email address to one you own.

When the page is opened, we see the challenge screen. Click on the “Send Password to Sam” button and voila! A page appears to reveal the password 50c3072c. The script doesn’t actually email the password, so don’t bother checking the email address you entered.

Mission accomplished!

According to some, level 5 is a bit tougher, but I’m sure we have the talent.

What do you think? How could this hack be thwarted? Leave a comment!

Hacking Skills Challenge-Level 3

My most recent post, Hacker Skills Help Save a Client’s PC, is a real-life practical example of how honing (or developing) your hacking skills can help you better serve your clients. So if you haven’t gotten around to it yet, mosey on over to HackThisSite.org, create an account and get started on the basic missions. They’re pretty simple, but if you don’t know a thing about hacking, you’ll be challenged.

Did you figure out level 3 of the HackThisSite.org Basic Missions? Here’s the mission:

This time Network Security Sam remembered to upload the password file, but there were deeper problems than that.

Recall that Sam forgot the password file the last time and so the script that checked for the file returned a <null> value—a blank password. This time, he remembered to upload the password file, which, if you look at the source code for the page, is password.php. In the last challenge, we were told that the password file was not encrypted. I wonder if we can open password.php? Let’s copy the URL of the challenge page and append “password.php” to it: http://www.hackthissite.org/missions/basic/3/password.php. Voila! The page opens, revealing 792debbc as the password.

Mission accomplished.

Hacking Skills Help Save a Client’s PC

A client recently called about his home PC saying that there were all kinds of pop-ups telling him he was infected. Naturally, the pop-ups promised to remove the “infection” for $49.95, a typical scareware tactic. I figured this would be a simple job, probably WinAntivirus Pro or some variant of it, and I would be in and out in less than an hour. I was wrong; he had deeper problems.

When I booted his PC, I was confronted by multiple command windows all with the title “desote.exe.” I was able to get to a web page and determine that this file is related to Windows Police PRO, a WinAntivirus Pro variant. I was also able to download MalwareBytes’ Antimalware. It wouldn’t install; desote.exe popped in every time I tried to run MBAM installer. I decided to try a manual removal to get the PC to where I could run MBAM and clean things up later, so I deleted desote.exe, dbsinit.exe and a couple other related files. That was a mistake; Windows lost its ability to run .exe files.

I knew I’d probably have to hack it, so I fell back on an old trick: When .exe files won’t run, change the extension to .com. This worked. I was able to install MBAM, run it, and get the system cleaned up. Turns out that the malware changes the registry key HKCR\exefile\shell\open\command from the (Default) entry of ["%1" %*] to [c:\windows\desote.exe "%1" %*]; since desote.exe was missing, Windows didn’t know what shell to run .exe files with. Besides that, MBAM found rootkit components that would have been difficult to remove manually.

Hacker skills are valuable for us white hats.

Hacking Skills Challenge-Level 2

Did you figure out level 2 of the HackThisSite.org Basic Missions? Here’s the mission:

Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file…

Read the mission briefing very carefully. A script loads a password from a file. There isn’t a file, so the script won’t load anything, meaning the variable will be…empty (blank). Clicking the Submit button with an empty password field should do it.

That worked. Mission accomplished.

Hacking Skills Challenge Level 1

The other day, I proposed you test out your ethical hacking skills over at HackThisSite. If you didn’t see that post, take a look now: How Are Your Hacking Skills? As promised, I’m publishing my comments and approach to the solution.

Level 1, dubbed “The Idiot Test,” requires that you enter the correct password into a password field in order to continue to the next level. The name itself seemed a giveaway to me, so I started with the obvious, a blank password, and simply clicked the submit button. No joy. Next, I tried ten of the most popular weak passwords in use (take your pick as to which “Top Ten” list you prefer):

password
root
admin
123456
qwerty
abc123
letmein
changeme
password1
asdfjkl;

None of these worked; it appeared as if the test was going beyond the idiot level. If it’s that simple, it should be obvious, so I took another look at the screen and noticed another subtle clue: “If you have no idea what to do, you must learn HTML.” Hmm. Maybe the page source has a clue. I opened the page source and searched for “password.” Bingo! I found this in the code:

<!-- the first few levels are extremely easy: password is 1e79cde6 –>

Did you figure it out? Hit the comments and let me know.

How Are Your Hacking Skills?

In playing the contract consultant game over the years, I’ve become accustomed to verbal and written skills assessment tests, but until recently, I’d never had anyone present a question like this: “Optional - Extra Credit - Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level.” Sounds like fun, I thought, and it makes sense: If you want to know how well a guy can protect your network, see if he knows how a hacker would attack it.  So I headed on over to the site. Having never been there, I didn’t know what to expect; I was greeted with this:

Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker war games site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.

I created an account, logged in and proceeded to the “Basic Missions” section; their are 11 of them, and I was to complete the first four. At level one, the challenge reads, “This level is what we call ‘The Idiot Test.’ If you can’t complete it, don’t give up on learning all you can, but don’t go begging to someone else for the answer, that’s one way to get you hated/made fun of. Enter the password and you can continue.”

Though they call it “The Idiot Test,” it’s not as simple as you might think. You’ll find the solution interesting. Try it for yourself, post your comments and check back in a day or so; I’ll be posting my analysis and solutions to each level, eventually covering all 11 basic missions.

In the meantime, have a safe and enjoyable Labor Day weekend.