I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!
note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things .
Author Assigned Level: Newbie
Community Assigned Level:
Since we’re starting at the beginning not much knowledge is required at the moment.
- basic HTML
- basic SQL injection
- basic understanding of ‘hacking’
These write ups are only my 2 cents on the challenges. So don’t take them too seriously.
HTS.org realistic challenges
Realistic challenge 2
Message: I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful.
What can extract from the message?
There seems to be a hidden administrator page? So let’s find it
NOTE: The site displays nazi symbols and texts, so be careful
The source code of the site is not worth pasting here. Just a bunch of formatting, headers, pictures etc.
Except one line!
note: Due to the formatting pasting the code correctly here won’t display it. As a workaround a screenshot is used instead!
If we follow this update.php we get to a page looking like this:
####So what could we do now?
Well the first thing that might come to mind is brute forcing our way in and try all the standard passwords combinations we can think of ( admin/admin, admin/password, …).
This seems too much work so we can try the following:
username AND password are the following: ’ or ‘1’='1
So why the heck is it like this???
The answer is easy when logging in here your username and password will be matched against a database and the “partially more complete” expression which gets evaluated looks like this:
something something... name='OURCODEHERENOW' and password='OURCODEHERENOW'
So if we add our login credentials there it’ll look like:
something something... name='' or '1'='1' and password='' or '1'='1'
####So what did we do?
We told the update.php script to evaluate this expression, which says username is empty or TRUE and the password is empty or TRUE, which always results in TRUE because of boolean logic.
This little ‘real challenge’ deals with 2 problems.
First you have to find some kind of login interface and secondly when you found it you have to think how to crack the username and password, but in reality and quick check for SQL injection makes our life way easier
That’s all for this challenge.
This little exploitation can always come in handy if parsing of the inputs is not handled properly
The next article of the series can be found here once it’s up!!