Preface
As always:
I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!
note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things .
Author Assigned Level: Wannabe
Community Assigned Level:
- Newbie
- Wannabe
- Hacker
- Wizard
- Guru
Required Skills
Since we’re starting at the beginning not much knowledge is required at the moment.
Disclaimer
These write ups are only my 2 cents on the challenges. So don’t take them too seriously.
HTS.org realistic challenges
Realistic challenge 10
Message:
hey man, it’s me Zach, I need a favor from you, I’m in big trouble.
if you’ll remember, I go to that super uptight religious school. well, two of my teachers are failing me because my lifestyle does not fall in line with their moralistic rules for public behavior. My gym teacher even called me a ‘long-haired hippie faggot’! And if I fail any classes, I won’t graduate.
Listen, can you hack into the school’s grade database and make it so I’m passing all my classes? I know they have this system set up on their website that allows teachers to submit grades and stuff, and I heard you pulled a few things in the past as well. Their web master was not thinking in terms of computer security when he was designing the website, so it might be easy. Or not. Please check it out here. The user name to my account is ‘Zach Sanchez’ and my password is ‘liberty638’. Thanks man!
What can we extract from the message?
- theres a database
- teacher have a grade submit system
- we have a user login Zach Sanchez/liberty638
The site:
- A bunch of links to follow.
- We have a student login
- We have a teacher login
- We have a staff list with names and email addresses
The source
The ‘hack’
Ok so what are we gonna do here?
We saw at the source theres a ‘hidden’ staff.php.
When we want to access it we need a login and a password.
We could try to use some form SQL injection…
Or even better! Wait for this…
Let’s check the staff list!
We got their email addresses.
So most likely the handle before the @ will be the corresponding username!
So we have to guess a password now…
How about we just use the username as a password as well, because why not?
People always use shit passwords…
entering credentials: smiller/smiller
And we see we got a login…
But what is that?
We need “holy_browser”? Wtf man…
Let’s do some identity faking. This can be done e.g. through a simple firefox addon called user agent switcher
If you know any other tools or strategies for this let me now!
Again… another problem arose…
We cannot change grades because we are no admin?!
Let’s check the user cookie
And there it is an admin cookie :D… flip it to ‘1’…
Ok now we can change grades. Let’s do it for our buddy Zach.
Meh. The rating period is over it seems.
Head to the batmobile… ehm source code and see what’s going on here.
The submit button to modify got commented out …
Welp idc. So let’s forge our own request to the site to update the grade.
If we look at our URL right now we already have some parameters set.
We can leave them as is or copy the URL chunk from the source.
So let’s look at the classes which need some change.
Copy the URL and add the necessary pieces.
Which are:
- grade=
- comment= (optional)
Result:
…/staff.php?action=changegrades&changeaction=modrec&rec=3&studentid=1&grade=5&comments=TOPKEK
So we just custom tailor our URL request for the grades we want to change and are done…
Conclusions
This time around we had some combination of cookie forgery, login credential stealing, and URL forgery.
This challenge aimed at being a small pain in the bumhole with all these small obstacles, but in the end not much tools and knowledge were necessary to solve those.
The next article of the series can be found here once it’s up!!
past challenges
- challenge R1
- challenge R2
- challenge R3
- challenge R4
- challenge R5
- challenge R6
- challenge R7
- challenge R8
- challenge R9
Stay tuned