I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let's get right into action!
note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things .
Author Assigned Level: Wannabe
Community Assigned Level:
Since we're starting at the beginning not much knowledge is required at the moment.
- basic HTML
- PHP argument parsing
- some knowledge about directory traversal
These write ups are only my 2 cents on the challenges. So don't take them too seriously.
HTS.org realistic challenges
Message: I run this website where people can read and submit peace-related poetry. I am doing this out of good will towards others, and I don't see why I would be making enemies out of this, but some real ass hole hacked my website posting a bunch of ignorant aggressive propaganda on the front page. And I made that website a while ago, and I no longer have access to it. Do you think you can hack in and change it back? Please? Oh, and bonus points if you message me the name of the bastard who did this!
My website can be found here.
What can we extract from the message?
- We have a read and submit mechanism for poems
- someone hacked the site and changed it
- admin has no access to it anymore..
Ok this site definitely got h4xx0r3d massively or did it ?
Let's take a look at the source code again. This helped us plenty the last two times!
Ok what the heck is this?? a super weird html formatting. Everything is written on line 1 which makes it difficult to read but might this come in handy ?? Not sure yet...
Even reading the source code of the page until the end didn't reveal anything interesting. Just a bunch of text and picture formatting... So what now?
Be careful and always look out for the small things
What am I saying here?
Let's look at the page code once more but this time more carefully.
The source code is formatted in such a way to distract you!
It a hassle to read and follow where some function 'opens' and 'closes' but more importantly we missed the fact that we can scroll down!
And all the way at the bottom we can find this:
<!--Note to the webmasterThis website has been hacked, but not totally destroyed. The old website is still up. I simply copied the old index.html file to oldindex.html and remade this one. Sorry about the inconvenience.-->
Let's jump right to oldindex.html
the main page:
Ok this one doesn't look promising at all...
Just a page where you can click some poems and read them.
No hidden running scripts or anything.
Our only clue is the URL which ends in:
readpoem.php?name=Images of an Impending War
So the poems are stored on the server.
But we can find this! The submit poem form which is handled through:
<form action="submitpoems2.php" method="post">Name of poem:<br />
Another .php script ...
Can we somehow exploit this??
Let's think about this.. We have header field and some text form and the script uses the 'post' method.
We need to do some research on what might happen here:
- POST creates an array (e.g. array( key => value, key2 => value2, key3 => value3, ...)). This array holds key/value pairs, where keys are the names of the form controls and values are the input data from the user.
- POST is treated as $_POST. This is a superglobal, which means that it will always be accessible, regardless of scope - and you can access it from any function, class or file without having to do anything special.
- $_POST is an array of variables passed to the current script via the HTTP POST method.
- HTTP POST Submits data to be processed to a specified resource
Ok enough for now, but if you're still feel unfamiliar with GET and POST request read them up here
So what can we do?
We use the submit form to restore the original index.html!
So we copy the html code of the oldindex.html and paste it as our poem.
For the title we choose the place where we wanna save it basically.
Because we saw how saved poems are saved on the server through the URL above.
-> So this should be the index.html!
BUT since our php submit form lies one level above the index.html file in terms of directories we need to traverse the path one step lower.
So we choose ../index.html as our name!
So this time we had to combine 3 different areas to solve this little riddle.
Some html knowledge, some php knowledge and a little bit of directory traversing.
Even if you're not an active html or php developer it's necessary to know how things are and can be handled and interpreted.
As a hacker you need a nicely filled toolbelt
The next article of the series can be found here once it's up!!