HTS.org R2 challenge

Web Hacking
, ,
1

Preface

I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!

note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things :slight_smile: .

Author Assigned Level: Newbie

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru
0 voters

Required Skills

Since we’re starting at the beginning not much knowledge is required at the moment.

  • basic HTML
  • basic SQL injection
  • basic understanding of ‘hacking’

Disclaimer

These write ups are only my 2 cents on the challenges. So don’t take them too seriously. :wink:

HTS.org realistic challenges

Realistic challenge 2

Message: I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful.

What can extract from the message?

There seems to be a hidden administrator page? So let’s find it :wink:

The site:

NOTE: The site displays nazi symbols and texts, so be careful :smiley:

Selection_002.png840×623 75.2 KB

the source

The source code of the site is not worth pasting here. Just a bunch of formatting, headers, pictures etc.
Except one line!

note: Due to the formatting pasting the code correctly here won’t display it. As a workaround a screenshot is used instead!

If we follow this update.php we get to a page looking like this:

The ‘hack’

####So what could we do now?
Well the first thing that might come to mind is brute forcing our way in and try all the standard passwords combinations we can think of ( admin/admin, admin/password, …).
This seems too much work so we can try the following:

username AND password are the following: ’ or ‘1’='1
So why the heck is it like this???

The answer is easy when logging in here your username and password will be matched against a database and the “partially more complete” expression which gets evaluated looks like this:

something something... name='OURCODEHERENOW' and password='OURCODEHERENOW'

So if we add our login credentials there it’ll look like:

something something... name='' or '1'='1' and password='' or '1'='1'

####So what did we do?
We told the update.php script to evaluate this expression, which says username is empty or TRUE and the password is empty or TRUE, which always results in TRUE because of boolean logic.

Conclusions

This little ‘real challenge’ deals with 2 problems.

First you have to find some kind of login interface and secondly when you found it you have to think how to crack the username and password, but in reality and quick check for SQL injection makes our life way easier :slight_smile:

That’s all for this challenge.
This little exploitation can always come in handy if parsing of the inputs is not handled properly :smiley:

The next article of the series can be found here once it’s up!!

Stay tuned :wink:

6 Likes
2

Gotta say man. I love the concept of the storyline​ with these. One thing I would say as a suggestion, would be not to spoiler tag the method, since we’re probably going to read it anyway :smile:

2 Likes
3

haha thanks. I thought I put in a spoiler for the actual ‘hacking section’ so the viewer can think about the possible attacks/exploits on his/her own first before just mindlessly reading what I wrote.
But if this spoiler thing is a huge distraction as a viewer I will remove it!
Thanks for the feedback :slight_smile:

1 Like
4

I found it nice to have the spoiler tags because I now try the challenges on my own. If you remove them, maybe add a spoiler warning and some spaces :slight_smile:

3 Likes
5

@ricksanchez Expanding on this, if you provided a link to the challenge, or the code, then it would give us a place to try it out.

1 Like
6

I’ll add them right away. It’s a bit tricky tho. You can access the “level” without an accout it seems but for the page where the ‘message’ is given to you with the task itself you need to have an account… sigh
But since I’m providing the message here it shouldn’t be a problem.

EDIT: added links to all challenges which are acessible without an account. If you submit your passwords it’s likely that you’ll get an error.

1 Like
7

This topic was automatically closed after 30 days. New replies are no longer allowed.