HTS.org R5 challenge

Preface

I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!

note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things :slight_smile: .

Author Assigned Level: Newbie

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters

Required Skills

Since we’re starting at the beginning not much knowledge is required at the moment.

  • basic HTML
  • basic knowledge about hashing

Disclaimer

These write ups are only my 2 cents on the challenges. So don’t take them too seriously. :wink:


HTS.org realistic challenges

Realistic challenge 5

Message:

Yo! This is Spiffomatic64 from HTS.org! I’m a bit of a hacker myself as you can see, but I recently came upon a problem I couldn’t resolve…
Lately I’ve been getting calls day and night from the telemarketing place. I’ve gone to their website and hacked it once deleting all of their phone numbers so they wouldn’t call me anymore. That was a temporary fix but they put their database back up, this time with an encrypted password. When I hacked them I noticed everything they used was 10 years out of date and the new password seems to be a ‘message digest’. I have done some research and I think it could be something like a so-called hash value. I think you could somehow reverse engineer it or brute force it. I also think it would be a good idea to look around the server for anything that may help you.

What can we extract from the message?

  • Need to hack into an admin page (again DUH)
  • we are dealing with password hashes not clear text passwords
  • super old technologies used :wink:

The site:

The site is a little more “complex” in terms of buttons to click and sub pages.

When clicking on ‘Database’ we are greeted with a login screen, where just a password is needed:

The source

Let’s take a look at the source code of the main menu page where we landed first.

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>New Page 1</title>
<base target="main">
</head>

<body bgcolor="#000000" text="#FFFFFF">

<p><a href="main.htm" target="main"><img border="0" src="home.gif" width="150" height="20"></a></p>
<p><a href="news.htm" target="main"><img border="0" src="news.gif" width="150" height="20"></a></p>
<p><a href="submit.html" target="_top"><img border="0" src="data.gif" width="150" height="20"></a></p>
<p><a href="contact.htm" target="main"><img border="0" src="contact.gif" width="150" height="20"></a></p>

</body>

</html>

Nothing to interesting… so let’s check out the submit .html which corresponds to the ‘Database’ sub page.

<html>

<head>

<title>Log in</title>
</head>

<body bgcolor="#000000" text="#FFFFFF">
<center><br /><br />
Enter Password:
<form action="secret/admin.php">
<p><input type="password" name="password" size="20"><input type="submit" value="submit" name="submit"></p>
</form>
</center>
</body>

</html>

Oh boi a super /secret sub directory! sounds like christmas. Let’s go there right away ignoring everything else!

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /missions/realistic/5/secret</title>
 </head>
 <body>
<h1>Index of /missions/realistic/5/secret</h1>
<ul><li><a href="/missions/realistic/5/"> Parent Directory</a></li>
<li><a href="admin.bak.php"> admin.bak.php</a></li>
<li><a href="admin.php"> admin.php</a></li>
</ul>
</body></html>

So what do we have here?
We have the normal admin.php script which handles the login form and will validate the entered password.
But what’s up with the admin.bak.php?
Let’s take a look!

The ‘hack’

error matching hash b0dcda1d2a014b072c5e690b54ec3b27

Yay we found a flag! CTF complete!? Just kidding…
We found a 32 bit hash value.
Now we could search the net for every hash algorithm which produces a 32 bit hash value and spend an eternity on this OR we use something like hashID which does exactly that for us in a breeze…

So the hashID outputs us these hashing algorithms which are likely to be used with our hash value, the most likely at the top.
So we have our hash and some possible hash algorithms. Let’s try to crack it with JohnTheRipper.
Let’s try MD2 first:

root@kali:~/Downloads# john --format=MD2 hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (MD2 [MD2 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:04:26  3/3 0g/s 190609p/s 190609c/s 190609C/s hkmce1
Session aborted

Next on our list is MD5

root@kali:~/Downloads# john --format=RAW-MD5 hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:10:47  3/3 0g/s 29486Kp/s 29486Kc/s 29486KC/s peleekng7..peleest95
Session aborted

I aborted these sessions because it took to long for such a password. So it seems unlikely. Next will be MD4
Just for fun I tried using the fork flag to use 4 CPU cores. Not needed for easy passwords tho.

root@kali:~/Downloads# john --format=RAW-MD4 --fork=4 hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD4 [MD4 128/128 AVX 4x3])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
086f9            (?)
4 1g 0:00:00:02 DONE 3/3 (2017-05-05 10:04) 0.4255g/s 13166Kp/s 13166Kc/s 13166KC/s 086c5..0832R

Ok John found something. Let’s see:

root@kali:~/Downloads# john --format=RAW-MD4 --show hash.txt 
?:086f9

1 password hash cracked, 0 left

We found our password! It’s 086f9. We just don’t know the username hence the ?, but we don’t even need a user.
So we can login and are don with the challenge here. :frowning:

Conclusions

This little challenge tried to make us play around with hash values. So for someone who doesn’t have a clue about hashing: take a look!
And of course as always we had to do some html inspection with directory traversal.

The next article of the series can be found here once it’s up!!

Stay tuned :wink:

5 Likes

Just a heads up, but HTS gave me another hash for this challenge! Seems that they randomly generate it for every user.

As they put it in the level description, I think that can been understood as a hint :slight_smile:

But hey, nice writeup! Keep it up

1 Like

Yes they sometimes generate different passwords or solutions depending on e.g. what browser youre using :slight_smile:

This topic was automatically closed after 30 days. New replies are no longer allowed.