HTS.org R1 challenge

Web Hacking
, ,
1

Preface

I wanna broaden my knowledge base when it comes to hacking and exploiting things.
As already summarized in @L3akM3-0day article [learn hacking where should you start] (https://0x00sec.org/t/learn-hacking-where-should-you-start/136) from a while ago there are several resources depending on your skill level.
I ain’t no h4x0r wizard yet so I’m starting at the beginning with baby steps.
For learning purposes for myself and other newcomers I will summarize the small “challenges” I encountered and solved here.

note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things :slight_smile: .

Author Assigned Level: Newbie

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters

Required Skills

Since we’re starting at the beginning not much knowledge is required at the moment.

  • basic html
  • basic understanding of ‘hacking’

Disclaimer

These write ups are only my 2 cents on the challenges. So don’t take them too seriously. :wink:

HTS.org realistic challenges

Structure

These challenges are always designed in the following matter:

  • You get a ‘message’ and have to solve the task described in there…

Realistic challenge 1

Message: Hey man, I need a big favour from you. Remember that website I showed you once before? Uncle Arnold’s Band Review Page? Well, a long time ago I made a $500 bet with a friend that my band would be at the top of the list by the end of the year. Well, as you already know, two of my band members have died in a horrendous car accident… but this ass hole still insists that the bet is on!
I know you’re good with computers and stuff, so I was wondering, is there any way for you to hack this website and make my band on the top of the list? My band is Raging Inferno. Thanks a lot, man!

So what can we extract right from the message above?

  • There seems to be a review page for bands with some kind of sorting. Maybe a voting system ;)?

The site:

As you can see our guess was correct. There’s a personal opinion with a personal rating and a voting system for the community.
The band mentioned in the message is on the bottom of that page with a horrendous rating.

the source

.......
<h2><a href="http://www.raginginferno.com">Raging Inferno</a></h2>

<p>This is a self-proclaimed "hardcore" metal band pretty much does nothing besides covering older slayer songs and nintendo game 'music' with added high-pitched screaming. I give these guys an F.</p>
<p><i>The average rating of this band is 2.3141751857359. How would you rate it?</i></p>

<form action="v.php" method="get">
	<input type="hidden" name="PHPSESSID" value="abcaeadfc31a5c43b2534bf995c0553f" />
	<input type="hidden" name="id" value="3" />
	<select name="vote">
		<option value="1">1</option>
		<option value="2">2</option>
		<option value="3">3</option>
		<option value="4">4</option>
		<option value="5">5</option>
	</select>
	<input type="submit" value="vote!" />
</form>
....

The ‘hack’

[spoiler]Okay as we can see the voting system is handled through a .php script.
The ‘hack’ here is more than simple we can just manipulate the option values right in our browser to trick the system.
E.g.: Through the built-in ‘firefox developer tools’.

<select name="vote">
   <option value="1">1</option>
   <option value="2">2</option>
   <option value="3">3</option>
   <option value="4">4</option>
   <option value="50000">50000</option>
</select>

Once we did that and select to new value in the voting system and click on vote we passed the challenge, because a mere addition of this voting was enough to catapult the band to the first place.

This works because the input to the .php script doesn’t seem to get validated in any matter.
This kind of exploitation is not happening too much these days as far as I can judge, since the coding got a lot more secure ( at least on bigger websites :smiley: ) through implemented mechanics like:

  • -> scripts use the IP address of the user and/or Cookies
  • -> every visitor votes only once
    [/spoiler]

Conclusions

The first realistic challenge from this site is not really a challenge but more an introduction to what will follow.
Since I like article series to be complete I’m starting here and will publish on after another in the correct ordering.
For most people here this article and maybe the next few won’t be interesting at all since it’s targeted at such a low skill level, but bear with me, because when I will finish these I will steadily increase the difficulty level.
So I hope I didn’t waste too much this time around.

The next article of the series can be found here once it’s up!!

Stay tuned :wink:

4 Likes
2

great thing you are starting here. I am really looking forward to the next one.

On other challenges like this I always have a hard time getting the solution because I’m not a wizard yet :slight_smile:

1 Like
3

@BO41 Same as me. I’m just starting here, and since I thought I can share my “journey” with everyone here I will do so :smiley: . Hoping to learn a lot ^^

3 Likes
4

Another way they can stop scripts like this is captcha’s. They are the bane of any bot writer.

1 Like
5

This topic was automatically closed after 30 days. New replies are no longer allowed.