HTS.org R8 challenge

exploit
injection
webhacking
hacking

#1

Preface

####As always:
I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!

note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things :slight_smile: .

Author Assigned Level: Wannabe

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters

Required Skills

Since we’re starting at the beginning not much knowledge is required at the moment.

  • knowledge about html
  • knowledge about web page structure
  • cookies
  • SQL injection
  • javascript injection

Disclaimer

These write ups are only my 2 cents on the challenges. So don’t take them too seriously. :wink:


HTS.org realistic challenges

Realistic challenge 8

Message:

Hey man, you gotta help me out, Gary Hunter, one of the richest men in America, has just deposited $10,000,000 into his bank account at the United Banks Of America and plans to donate that money to a campaign to hunt down and lock up all hackers. Now I’ve tried hacking their site but I’m just not good enough. That’s why I need your help, Here’s a list of your objectives:

  1. Find the account of Gary Hunter (I don’t know his account name).
  2. Move the $10,000,000 into the account dropCash.
  3. Clear The Logs, They’re held in the folder ‘logFiles’.
    I really hope you can do this, because if you can’t we’re all screwed

What can we extract from the message?

Well this time the message was so nice to format the objectives nicely already, so for the sake of completion:

  • Find the account of Gary Hunter (I don’t know his account name).
  • Move the $10,000,000 into the account dropCash.
  • Clear The Logs, They’re held in the folder ‘logFiles’.

The site:

Another simple interface with a few functions implemented.
Also some pictures…

The source

When looking at the source we can easily identify important .php scripts like
the login.php and the register.php as well as what they expect in terms
of input…

The ‘hack’

Okay first let’s try registering a new account to find out more about the internals.

Look at this we got access and directly can see the other functions we have to use

  • transfer money -> movemoney.php
  • delete logs -> cleardir.php

Anyway the ‘hack’ here now includes cookie forgery.
We can look at our cookies in the developer tools in our browser…

Okay let’s check if we can get this cookie as an output through javascript injection.
Let’s try this in our browser:

javascript:alert(document.cookie);

And voilá… The site is vulnerable to this…

Okay let’s look for the account in question here. Let’s use the search:
Just looking for Gary Hunter didn’t reveal any users so let’s try to dump the whole userbase.
Time for some SQL injection in the search field:

' or '1=1' 

And voilá again… We can find GaryWilliamHunter here as a user. So what now?

But hey! Remember the cookie thing?
Let’s edit our own cookie with the credentials from our bro Gary.
Now let’s try to move cash with our forged cookie…

Works like a charme :open_mouth:

Time to delete the logfiles for part 2 of the task!
Login again. Check the “Clear Files in Personal Folder” code.

We can see that the value here is not logfiles but our username+SQLFiles…
This is not what we want… let’s change this value to logfiles:

And done! Just hit ‘Clear Files in Personal Folder’ and the challenge is solved…

Bonus time

Solving these tasks in javascript:

Stage 1

javascript:void(document.write('<form name=the_form action=movemoney.php method=post><input type=hidden name=FROM value=GaryWilliamHunter><input type=hidden name=TO value=dropCash><input type=hidden name=AMOUNT value=10000000> <input type=submit value="move money" ></form'))

Stage 2

javascript:void(document.write('<form action=cleardir.php method=post><input type=hidden name=dir value=LogFiles><input type=submit value="clear files"></form'))

further reading to javascript:void

Conclusions

Another small fun challenge for testing out some methods.
We already learned these briefly in the past challenges.
This time we had to combine some of these to solve the challenge. Still not a problem.
The next article of the series can be found here once it’s up!!

Stay tuned :wink: