What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-09-19

Hack This Site! - Realistic 5

Description:

Damn Telemarketers!
Telemarketers are invading people's privacy and peace and quiet. Get the password for the administrative section of the site to delete their database and return the privacy of their victims! 

Realistic 5
From: spiffomatic64 

Message: Yo! This is Spiffomatic64 from Hackthissite.org! I'm a bit of a hacker myself as you can see, but I recently came upon a problem I couldn't resolve.....
Lately I've been getting calls day and night from the telemarketing place. I've gone to their website and hacked it once deleting all of their phone numbers so they wouldn't call me anymore. That was a temporary fix but they put their database back up, this time with an encrypted password. When I hacked them I noticed everything they used was 10 years out of date and the new password seems to be a 'message digest'. I have done some research and I think it could be something like a so-called hash value. I think you could somehow reverse engineer it or brute force it. I also think it would be a good idea to look around the server for anything that may help you.
Solution:
  1. Take a tour of the website.
  2. There's only one input form in the page of the following link of the website.
    hxxp://www.hackthissite.org/missions/realistic/5/submit.html
  3. Try to input something and submit, then you'll get an error message of invalid password. It's okay. View page source code of the form page and see the URL of the processing script.
  4. You will see the method is 'GET' and the script file to process the request is /secret/admin.php . There's a directory named secret.
    URL: hxxp://www.hackthissite.org/missions/realistic/5/secret/admin.php?password=123&submit=submit
  5. Do directory traversal (or path traversal) attack to the 'secret' directory. You'll find out there's a backup file named 'admin.bak.php' like below.
    Index of /missions/realistic/5/secret
    • Parent Directory
    • admin.bak.php
    • admin.php
  6. Check the backup script file. There's a hash value inside the file.
    error matching hash b1053edeac96294ae0435f63b22ac004
  7. From the hint above, "everything they used was 10 years out of date and the new password seems to be a 'message digest' (MD).", now you just need to find out the algorithm and decrypt the hash value.
  8. There are so many algorithm to decrypt the password. Of course, you could brute force it, but I wanna save time. So, follow the direction to look around the server.
    http://en.wikipedia.org/wiki/Cryptographic_hash_function
  9. Check the "robots.txt" file of the website, you could find out another directory called 'lib'. There is a file named "hash", it's the another hint for you.
    Reference:
    http://en.wikipedia.org/wiki/Robots_exclusion_standard

    Visit: hxxp://www.hackthissite.org/missions/realistic/5/robots.txt
    User-agent: *
    Disallow: /lib
    Disallow: /secret
  10. Open the hash file, there are some garbage text and some system information. "MD4" is what we're looking for.
  11. I use "john the ripper" to crack it like below, but you can choose another application or tool to achieve the same goal.
    root@sp:/pentest/passwords/john# ./john --format=raw-md4 ./md4.txt
  12. Back to the form page, input the decrypted password and submit.
  13. Good Job, OOXXOOXX, You have sucessfully completed Mission 5