Month: March 2017

Today’s post is going to go over the second challenge of the OWASP Hackademic Challenges Project.

Below is the scenario:

Your Country needs your help for finding the password of an enemy site that contains useful information, which if is not acquired on time, peace in our area will be at stake.

You must therefore succeed in finding the password of this military SITE.

Good luck!

Solution:

Entering the site – we get the following:

Doing a page source we see the following:

We see that the submit button calls the GetPassInfo JavaScript method (second screenshot).

Now we need to analyze what the method returns.

Going to an online JavaScript interpreter we add the code along with alert statements to print what the “wrong” variable is holding.

Going back to the challenge, and entering what is in the dialog box = enter a coin to play – we get the following screenshots:

Looking at the address bar after the index.php – we see a parameter of result that has our password in the address bar.

Lesson learned:

1. We used the same tactics from the first challenge. When doing this we were able to find that the submit button was calling a GetPassInfo() JavaScript method which allowed us to proceed forward
2. After obtaining the JavaScript code, we went to an online JavaScript interpreter and entered the code adding alerts so we can see what is stored in the variables
3. After doing this we were able to obtain the password and enter it in the input box.

The developers thought they were able to trick users by putting the password in a method. They didn’t anticipate for us to find an online JavaScript interpreter to decipher the results.

Once again – looking at the page source reigns again! 🙂

In my last blog post I stated that I was going to start showing my solutions to web app security questions.

My first solution will be from the OWASP Hackademic Challenges Project – Challenge 1.

Below is the scenario:

Our agents (hackers) informed us that there reasonable suspicion that the site of this Logistics Company is a blind for a human organs’ smuggling organisation.

This organisation attracts its victims through advertisments for jobs with very high salaries. They choose those ones who do not have many relatives, they assasinate them and then sell their organs to very rich clients, at very high prices.

These employees are registered in the secret files of the company as “special clients”!

One of our agents has been hired as by the particular company. Unfortunately, since 01/01/2007 he has gone missing.

We know that our agent is alive, but we cannot contact him. Last time he communicated with us, he mentioned that we could contact him at the e-mail address the company has supplied him with, should there a problem arise.

The problem is that when we last talked to him, he had not a company e-mail address yet, but he told us that his e-mail can be found through the company’s site.

The only thing we remember is that he was hired on Friday the 13th!

You have to find his e-mail address and send it to us by using the central communication panel of the company’s site.

Good luck!!!

Solution:

Entering the Logistics Company I am presented with the following:

As you can see we need to find the code and password. Looking at the page really doesn’t give us anything to work with.

Next I look at the page source to look at the code. Maybe there are some goodies here!

Well look at what we have here. Looking at the end of the first line we see that the font color is #FFFFFF = white. Inside this white color font it has white and rabbit. Let’s see if this is the code and password.

After entering our information we’re logged into the portal of Greek Logistics Company.

Looking at the left side we see the send e-mail option. We will use this later as we need to send an email to find our captured friend.

Let’s look at the mailbox special client’s mailbox.

We see that there are five clients at Greek Logistics Company. Let’s look at the frame source on the Special Clients’ Mailbox and see what we get.

What do we have here? there’s a secret_area_ directory… Let’s see what’s in this directory.

Going to the secret_area_ directory there’s two files. A mails.gif file and a mails.txt. Our mission is to find the email of our friend so we can email them. That will probably be in the mails.txt file.

Opening the mails.txt file we see a list of email addresses. Re-reading the scenario we know that our friend went MIA on Friday the 13th. Looking at the list of emails one of them jumps out: Jasson Killer Friday13@JasonLives.com. Let’s use this email address and see if can connect with out kidnapped friend.

Going back to the secret area portal, we go to the send e-mail link:

Pressing send we get the following:

Yay! We were able to complete the challenge and able to contact our kidnapped friend.

Lessons learned:

1. Even though the code and password were obscured by setting the text to white, this still didn’t stop us from gaining entry to the portal. When you’re unsure on how to proceed, look at the page source. Unfortunately, developers leave a lot of gems that should not be there.
2. Once we gained entry into the secret portal. We looked at the frame source, and noticed a secret directory. Again, the developers left valuable gems for us to continue
3. Finally when we went to Apache server we noticed two files. Looking at the scenario we were able to skip the first file as it was just a gif. The second file was what we were after… it had the list of email addresses
4. Opening this file and re-reading the scenario we were able to find that the email address we wanted was from Jason (Friday the 13th).

Whenever you’re stuck- ALWAYS LOOK AT THE PAGE SOURCE! 🙂