OWASP Hackademic Challenge 10

Another day, another challenge…

Today’s challenge will conclude the Hackademic Challenge.

Below is the scenario:

Would you like to become an active hacker ?
How about becoming a member of the world’s largest hacker group:
The n1nJ4.n4x0rZ.CreW!

Before you can join though, you ‘ll have to prove yourself worthy by passing the test that can be found at: http://n1nj4h4x0rzcr3w.com

If you succeed in completing the challenge, you will get a serial number, which you will use for obtaining the password that will enable you to join the group.

Your objective is to bypass the authentication mechanism, find the serial number and be supplied with your own username and password from the admin team of the site.

Clicking the link we see the following screen:

challenge10intro

Doing a right click, page source we see the following:

challenge10pagesource

Looking at the line above the password line we noticed that there is a hidden field called “LetMeIn” which is set to false. What if we set this to true?

Going back to the our original screen, and clicking on Tools –> Web Developer Extension –> Forms –> Display Form Fields we see the following screen:

challenge10formfields

Changing the field from “False” to “True” and pressing the “Login” button we see the following:

challenge10encoding

Hmm… there’s an alert box that has encoding in it. Could this encoding contain the serial number?

Copying the encoding and going to Google we search for “Decoder online”. We found a website HERE

Changing the encoding type from Base64 to URL encoding and pressing “Decode” we see the following:

challenge10serialnumber

We have the serial number!

Going back to the challenge and pressing Enter we’re presented with the following screen:

challenge10email

Entering our name and serial number, and pressing the send button we see the following screen:

challenge10congrats

Lesson learned:

Our trick of right clicking and viewing the page source helped us. We noticed that there is a hidden field titled, “LetMeIn”. Developers believe that just because a field is hidden a penetration tester could not exploit these fields. This is further from the truth.

After we have tampered with the hidden field we are next encountered with encoding. Doing a quick Google search we found an encoder/decoder online that we can use to decode the encoding.

Once that decoding is done we entered our name and serial number on the next screen and we have completed the challenge.

OWASP Hackademic Challenge 8

Another day, another challenge.

Today’s challenge is #8 from the OWASP Hackademic Challenge.

Below is the scenario:

You have managed, after several tries, to install a backdoor shell (Locus7Shell) to trytohack.gr

The problem is that, in order to execute the majority of the commands (on the machine running the backdoor) you must have super-user rights (root).

Your aim is to obtain root rights.

Clicking on the link we see the following:

challenge8intro

Doing a right click and “view page source” the following screen appears:

challenge8pagesource

Looking at the input box, it seems that we can use bash commands to query what’s on the file system.

Typing in “ls” (list) we see the following:

challenge8ls

the b64.txt file looks interesting… let’s open this file to see what’s inside…

challenge8base64encoding

Looking at the file there’s encoding. Taking a wild guess the encoding is base 64 (the file gave it away).

Going to Google and typing “base 64 decoder” we get the following link.

Putting the encoding from the base64.txt file into the decoder we get the following:

challenge8base64decoder

We found the username and password, yay!!!

Going back to the challenge and entering the command su (switch user) we’re prompted with the username and password.

Entering what we found in the last screen we get the following:

challenge8congrats

We’re now running the application as root (we can see that in the red text, and a congratulations at the bottom)

Lessons learned:

Once again we looked at the page source, and really didn’t find a lot of information. We did notice that we could enter bash commands and the application would interpret it.

Doing a “ls” we noticed a file on the file system. Going to said file we noticed that it was encoded. Doing a quick Google search we were able to decode the encoding and find the username and password.

A fix for this application would be to not include sensitive files on the file system for users to access. The encoding was trying to do security through obscurity – which doesn’t work. Another fix would be to not allow the user to elevate their privileges (going from a normal user to a admin root user).

 

OWASP Hackademic Challenge 7

Another day, another challenge.

This post we will solve challenge 7 of the OWASP Hackademic Challenge.

Below is the scenario:

A good friend of mine studies at Acme University, in the Computer Science and Telecomms Department. Unfortunately, her grades are not that good. You are now thinking “This is big news!”… Hmmm, maybe not. What is big news, however, is this: The network administrator asked for 3,000 euros to change her marks into A’s. This is obviously a case of administrative authority abuse. Hence… a good chance for D-phase and public exposure…
I need to get into the site as admin and upload an index.htm file in the web-root directory, that will present all required evidence for the University’s latest “re-marking” practices!
I only need you to find the admin password for me…

Good Luck!

Clicking on the link we see the following:

challenge7intro

Right clicking on the page we see the following:

challenge7pagesource

We see that there is a folder named index_files. Let’s go this folder and see what’s there…

challenge7indexfiles

Well look what we have here… there’s a lastlogin.txt, clicking on that file we get the following:

challenge7lastlogin

We see that Irene is a valid user. Let’s go back to the beginning and add Irene to the text box (with TamperData on) and see what we get.

challenge7irene

challenge7tamperdata

Let’s press “OK”, and continue.

challenge7ireneclass

Reloading the page we now see the following in TamperData:

challenge7ireneuser

Well what do we have here? Inside the cookie we have the user of Irene and a userlevel of “user”. Lets try to change the userlevel to admin and see if this will solve our challenge.

challenge7ireneadmin

After pressing out we get the following screen:

challenge7congrats

Lessons learned:

Page source provided gems in this challenge. When doing the page source we noticed that there was a folder “index_files”. When accessing this folder we see that there was information that was disclosed incorrectly that showed the last login of the application. This is bad because another user (in this case us) can impersonate a valid user.

Once we checked the grade for our user of “Irene” and looked at the tamper data results we noticed there was a cookie header that showed that our user had a privilege level of user. We noticed that this value can be changed. After change the privilege from user to admin we completed the challenge successfully.

When creating an application make sure that information is not being disclosed improperly. Make sure that there are no open folders that can be accessed on the website.

OWASP Hackademic Challenge 5

Another day, another challenge…

What’s the challenge today? Challenge 5 of 10 from OWASP Hackademic.

Scenario below:

You need to get access to the contents of this SITE. In order to achieve this, however, you must buy the “p0wnBrowser” web browser. Since it is too expensive, you will have to “fool” the system in some way, so that it let you read the site’s contents.

Walk through below:

Going to the website we get the following:

challenge5

Viewing page source we see the following:

challenge5pagesource

So… the page source is not helping us as there are no gems.

Let’s look at Tamper Data.
Reloading the page and press “Tamper” we get the following:

challenge5tamperdata

We don’t have any POST data to change, but we do have request headers that we can change. One field looks interesting User-Agent.

The user-agent describes the type of browser that you are using. More can be learned about user-agent HERE.

If we change the user-agent to p0wnBrowser (since we are trying to trick the user to view the contents). Changing the user-agent we get the following:

challenge5p0wnbrowser

challenge5congrats

Lesson learned:

In this case we did not have POST data (response) to change, but we did have GET data (request) to change. Looking at the different headers the user-agent jumps out as one to change. Once again, if you’re stuck, Google is the way to go!

OWASP Hackademic Challenge – Challenge 4

Another day, another challenge. What’s the topic for today? We’re still in Cross-Site Scripting (XSS) land…

Scenario below –

A hacker informed us that this site suffers from an XSS-like type of vulnerability. Unfortunately, he lost the notes he had written regarding how exactly did he exploit the aforementioned vulnerability.
Your objective is to make an alert box appear, bearing the message “XSS!“. It should be noted, however, that this site has some protection against such attacks.

SOLUTION

Enter the site we have the following page

challengefourbeginning

Trying to use the same tactic from the third challenge (alert(“XSS!”);) we get the following

challengefourwrong

challengefourwrong2

We see this doesn’t work. Hmm – seems the developer has added some validation to the page.

Let’s see if we can do output encoding with XSS.  Our goal is still trying to display the alert box of XSS!

Using TamperData from FireFox we see that our words are being encoded.

tamperdatachallenge4

 

Going to Google and look for “XSS Filter Evasion Cheat Sheet” we come to the following page HERE

Scrolling down we see the following:

Chapter4FromCharCode

Let’s try to use the fromCharCode and see if that works.

Changing the XSS to the ASCII equivalent –  we get the following:

alert(String.fromCharCode(88,83,83,33))

Putting this into the text box we get inside ‘Tamper Data”:

chapter4puttinginanswer

Pressing “XSS Me!” we get the following:

chapter4tamperdata

We’re not going to tamper this data, and press OK.

The screen now returns:

challenge4xss

challenge4congrats

Lessons learned:

The application encoded certain characters “>”, “<“, “(“, “)” to try to mitigate against cross-site scripting attacks. Even with doing this we still found a way to evade the encoding by using the JavaScript function – fromCharCode from the String class. When in doubt, use Google!