I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!
note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things .
Author Assigned Level: Newbie
Community Assigned Level:
Since we’re starting at the beginning not much knowledge is required at the moment.
- basic HTML
- basic knowledge about hashing
These write ups are only my 2 cents on the challenges. So don’t take them too seriously.
HTS.org realistic challenges
Yo! This is Spiffomatic64 from HTS.org! I’m a bit of a hacker myself as you can see, but I recently came upon a problem I couldn’t resolve…
Lately I’ve been getting calls day and night from the telemarketing place. I’ve gone to their website and hacked it once deleting all of their phone numbers so they wouldn’t call me anymore. That was a temporary fix but they put their database back up, this time with an encrypted password. When I hacked them I noticed everything they used was 10 years out of date and the new password seems to be a ‘message digest’. I have done some research and I think it could be something like a so-called hash value. I think you could somehow reverse engineer it or brute force it. I also think it would be a good idea to look around the server for anything that may help you.
What can we extract from the message?
- Need to hack into an admin page (again DUH)
- we are dealing with password hashes not clear text passwords
- super old technologies used
The site is a little more “complex” in terms of buttons to click and sub pages.
When clicking on ‘Database’ we are greeted with a login screen, where just a password is needed:
Let’s take a look at the source code of the main menu page where we landed first.
<head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 4.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>New Page 1</title> <base target="main"> </head> <body bgcolor="#000000" text="#FFFFFF"> <p><a href="main.htm" target="main"><img border="0" src="home.gif" width="150" height="20"></a></p> <p><a href="news.htm" target="main"><img border="0" src="news.gif" width="150" height="20"></a></p> <p><a href="submit.html" target="_top"><img border="0" src="data.gif" width="150" height="20"></a></p> <p><a href="contact.htm" target="main"><img border="0" src="contact.gif" width="150" height="20"></a></p> </body> </html>
Nothing to interesting… so let’s check out the submit .html which corresponds to the ‘Database’ sub page.
<html> <head> <title>Log in</title> </head> <body bgcolor="#000000" text="#FFFFFF"> <center><br /><br /> Enter Password: <form action="secret/admin.php"> <p><input type="password" name="password" size="20"><input type="submit" value="submit" name="submit"></p> </form> </center> </body> </html>
Oh boi a super /secret sub directory! sounds like christmas. Let’s go there right away ignoring everything else!
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /missions/realistic/5/secret</title> </head> <body> <h1>Index of /missions/realistic/5/secret</h1> <ul><li><a href="/missions/realistic/5/"> Parent Directory</a></li> <li><a href="admin.bak.php"> admin.bak.php</a></li> <li><a href="admin.php"> admin.php</a></li> </ul> </body></html>
So what do we have here?
We have the normal admin.php script which handles the login form and will validate the entered password.
But what’s up with the admin.bak.php?
Let’s take a look!
error matching hash b0dcda1d2a014b072c5e690b54ec3b27
Yay we found a flag! CTF complete!? Just kidding…
We found a 32 bit hash value.
Now we could search the net for every hash algorithm which produces a 32 bit hash value and spend an eternity on this OR we use something like hashID which does exactly that for us in a breeze…
So the hashID outputs us these hashing algorithms which are likely to be used with our hash value, the most likely at the top.
So we have our hash and some possible hash algorithms. Let’s try to crack it with JohnTheRipper.
Let’s try MD2 first:
[email protected]:~/Downloads# john --format=MD2 hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (MD2 [MD2 32/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:04:26 3/3 0g/s 190609p/s 190609c/s 190609C/s hkmce1 Session aborted
Next on our list is MD5
[email protected]:~/Downloads# john --format=RAW-MD5 hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3]) Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:10:47 3/3 0g/s 29486Kp/s 29486Kc/s 29486KC/s peleekng7..peleest95 Session aborted
I aborted these sessions because it took to long for such a password. So it seems unlikely. Next will be MD4
Just for fun I tried using the fork flag to use 4 CPU cores. Not needed for easy passwords tho.
[email protected]:~/Downloads# john --format=RAW-MD4 --fork=4 hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD4 [MD4 128/128 AVX 4x3]) Node numbers 1-4 of 4 (fork) Press 'q' or Ctrl-C to abort, almost any other key for status 086f9 (?) 4 1g 0:00:00:02 DONE 3/3 (2017-05-05 10:04) 0.4255g/s 13166Kp/s 13166Kc/s 13166KC/s 086c5..0832R
Ok John found something. Let’s see:
[email protected]:~/Downloads# john --format=RAW-MD4 --show hash.txt ?:086f9 1 password hash cracked, 0 left
We found our password! It’s 086f9. We just don’t know the username hence the ?, but we don’t even need a user.
So we can login and are don with the challenge here.
This little challenge tried to make us play around with hash values. So for someone who doesn’t have a clue about hashing: take a look!
And of course as always we had to do some html inspection with directory traversal.
The next article of the series can be found here once it’s up!!