I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let's get right into action!
note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things .
Author Assigned Level: Wannabe
Community Assigned Level:
Since we're starting at the beginning not much knowledge is required at the moment.
- knowledge about html
- knowledge about web page structure
- SQL injection
These write ups are only my 2 cents on the challenges. So don't take them too seriously.
HTS.org realistic challenges
Hey man, you gotta help me out, Gary Hunter, one of the richest men in America, has just deposited $10,000,000 into his bank account at the United Banks Of America and plans to donate that money to a campaign to hunt down and lock up all hackers. Now I've tried hacking their site but I'm just not good enough. That's why I need your help, Here's a list of your objectives:
1. Find the account of Gary Hunter (I don't know his account name).
2. Move the $10,000,000 into the account dropCash.
3. Clear The Logs, They're held in the folder 'logFiles'.
I really hope you can do this, because if you can't we're all screwed
What can we extract from the message?
Well this time the message was so nice to format the objectives nicely already, so for the sake of completion:
- Find the account of Gary Hunter (I don't know his account name).
- Move the $10,000,000 into the account dropCash.
- Clear The Logs, They're held in the folder 'logFiles'.
Another simple interface with a few functions implemented.
Also some pictures..
When looking at the source we can easily identify important .php scripts like
the login.php and the register.php as well as what they expect in terms
Okay first let's try registering a new account to find out more about the internals.
Look at this we got access and directly can see the other functions we have to use
- transfer money -> movemoney.php
- delete logs -> cleardir.php
Anyway the 'hack' here now includes cookie forgery.
We can look at our cookies in the developer tools in our browser..
Let's try this in our browser:
And voilá.. The site is vulnerable to this..
Okay let's look for the account in question here. Let's use the search:
Just looking for Gary Hunter didn't reveal any users so let's try to dump the whole userbase.
Time for some SQL injection in the search field:
' or '1=1'
And voilá again.. We can find GaryWilliamHunter here as a user. So what now?
But hey! Remember the cookie thing?
Let's edit our own cookie with the credentials from our bro Gary.
Now let's try to move cash with our forged cookie..
Works like a charme
Time to delete the logfiles for part 2 of the task!
Login again. Check the "Clear Files in Personal Folder" code.
We can see that the value here is not logfiles but our username+SQLFiles..
This is not what we want.. let's change this value to logfiles:
And done! Just hit 'Clear Files in Personal Folder' and the challenge is solved..
Another small fun challenge for testing out some methods.
We already learned these briefly in the past challenges.
This time we had to combine some of these to solve the challenge. Still not a problem.
The next article of the series can be found here once it's up!!