Hack This Site (HTS) Realistic 1 - Uncle Arnold's Local Band Review

Your friend is being cheated out of hundreds of dollars. Help him make things even again!

Message: Hey man, I need a big favour from you. Remember that website I showed you once before? Uncle Arnold's Band Review Page? Well, a long time ago I made a $500 bet with a friend that my band would be at the top of the list by the end of the year. Well, as you already know, two of my band members have died in a horrendous car accident... but this ass hole still insists that the bet is on!
I know you're good with computers and stuff, so I was wondering, is there any way for you to hack this website and make my band on the top of the list? My band is Raging Inferno. Thanks a lot, man!

Notes
I didn't mention in the video (which perhaps I shoud have) some useful information:

• The reason this attack works is that the value you have altered and sent was not being checked on  the server side e.g. there was no statement like this:

 if($_POST("voteVal") < 1 || $_POST("voteVal") > 5)
       handleError();

• It is extremely important that form values are checked both client and server side. However, as you have just seen it is more important to check them server side to make sure the value isn't just executed with the code. The need to check client-side is more of an efficiency method so that genuine-bad input (accidental input) does not take up server resources by handling http requests. You will see how important this really is when we come to do SQL Injections.
• The other method I spoke of was to save the web page locally to your machine and then alter the form values within the HTML.

Hack This Site (HTS) Javascript 6 - go go go away .js

now you see it..umm...wait...

"Fiftysixer decided to try his hand at javascript!
All was going well until he realized that he forgot to remove the unused code, which resulted in a confusing mess.
He didn't mind, in fact, he did his best to make it even MORE confusing!"

As per usual, the first step is to jump through the soruce code to where the password field lies and look at the surrounding code. We can see that as soon as the user clicks the submit button, a peice of javascript will run which will check the password entered. From here we do a second search for the "checkpass" function and find that this function is located in an external file, which happens to be named checkpass.js.

In this file, we see how the function works and what the expected input is which in this case is: moo pwns

Hack This Site (HTS) Javascript 5 - Escape!

Did... she say runescape?

Uhm, faith spelled runescape wrong?



This mission, like many of the other Javascript missions, simply require you to lookup javascript functions. In this case, the "escape/unescape" function. As you can see from the video there tends to be an online version of any language function that involves conversion.

To pass this mission you simply need to input the unescaped version of the given string is the source code which is ilovemoo.

Hack This Site (HTS) Javascript 4 - Var?

But that's what it said! right?

Faith is trying to trick you... she knows that you're tired after all the math works...



The difficulty rating for this one is easy for a reason! What's involved to get the password is as easy as the first mission, however it takes a bit more thinking 'outside of the box'. There's not a lot more that can be said in this tutorial as it really is quite simple.

Although most websites will not use this kind of mechanism for logins (well... we hope so from their point of view but from ours it makes the job a lot easier :)) they will try and obscure information using javascript and other tricks like this. For example, if you look at the source code for many video hosting websites you will notice that they have the location of the video embedded somewhere in the code, so we can easily come along and simply paste it into our address bar and download the video. However, try and do this to a website like veoh or youtube and it's not quite as easy to find.

Hack This Site (HTS) Javascript 3 - Math Time!

Faith is going to test your math skills and your javascript operations

Faith is going hardcore with javascript operators...



Javascript 3 is based on the operators available in all programming and scripting languages. By looking at the source code we see that the password function does a number of mathematical functions to a number of variables and this links with the password itself. The use of google here to do the sums for us is to ensure that no mistakes are made in the calculations and to put emphasis on how useful google can really be.

After working out the sums:

foo: 47
bar: 7
moo: 14
rar: N/A

We know the value of what of moo is 14 and this somehow relates to the password. The next step is to see what the javascript function "length" returns. After looking up the function we see that it returns "the length of the string (in characters)." This is very important as it is the difference between the answer being the value 14, or a string consisting of 14 characters in length. in this case, I used: xxxxxxxxxxxxxx

Hack This Site (HTS) Javascript 2 - Disable Javascript

Faith had made a redirect script and logout with javascript to keep hackers away



The key to this missions is the information given above. When you click on the link you see this redirect script work and make you "lose" the mission. By simply turning off javascript within your browser you disable any javascript content on a web page; in this case you stop the execution of the redirect script.

Hack This Site (HTS) Javascript 1 - Idiot Test

Faith is learning Javascript, the only thing that is protecting her from hackers is luck.

"Faith is learning javascript"



Similar to Basic 1, this mission requires very little, if any, javascript knowledge. A simple look at the source code shows us that the function that handles the login takes the password and checks if it is equal to "cookies".

Lack of tutorials recently...

Due to it being such a busy time for me at the moment and the the length of time needed to create the tutorials, write the articles and upload them etc my posts won't be regular for the next few weeks. Also, the harder the task the longer and more in-depth the tutorials need to be so I've decided to take a break from the last two basic missions on hackthissite.org and start doing the javascript missions. I've already made the video's for all these missions so they just need the articles to go along with them which means I get to post slightly more regularly as they aren't quite as complicated as the basics.

Check back soon!

Hack This Site (HTS) Basic 9

The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.

"Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it."

This mission is almost identical to the previous and needs the same level of knowledge of SSI and directory traversal. You already know from the mission description that he has screwed up in allowing the viewing of files to only the level 8 directory and so you will need to go back to the level 8 mission to take advantage of the SSI injection vulnerability.

As a reminder I did a test input again to show you that your file gets saved into a temporary folder. In the last mission we executed the command "ls .." which took us from /missions/basic/8/tmp to /missions/basic/8 where the password file was kept. However, now we need to get to the 9th basic mission so not only do we need to jump back one more directory, we then need to jump into a new directory so the command becomes "ls ../../9". From here we have access to the new password file and mission 9 becomes completed :)

Hack This Site (HTS) Basic 8

The password is yet again hidden in an unknown file. Sam's daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser)

"Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability."

In this mission we are told that knowledge of Server-Side Includes (SSI) is necessary in order to complete it. The first thing you must do therefore is google ssi and read up on it. There's no need for me to go into the ins-and-outs of what SSI is but in Layman's terms it allows you to dynamically execute code on a web page. After doing some research you should be fairly comfortable with what SSI is and how to use it. Knowledge of directory traversal is also needed for this mission.

From the description within the mission we know that "Stephanie" has created a php program that has an exploitable security flaw in it. So we first need to use that program and see what it does. As you can see it saves your input into a file in a temporary folder named "tmp" and then includes this file when after the "Hi, " statement. This is where our knowledge of SSI comes in.
We can presume at this point that the security flaw is that input does not get checked and that you can add your own SSI injection into the field that will be executed when included in "Stehpanie's" program. So we test it: "". Straight away we know that the input is not immediately checked as the file does get saved. From clicking on the link we can see that our arbitrary code gets executed and all the files in the "tmp" folder are displayed (because we used the *nix command "ls").

This is where our knowledge of directory traversal comes into play. At this point we know we can use SSI injections (although this is limited for the sites own security; any commands executed that aren't the right ones won't get executed and a message saying you're on the right tracks will be outputted). At the moment the "ls" command is outputting everything in the "tmp" folder but this is not the folder we want being outputted; we need to jump back a directory using "..". Therefore the new command is "". This outputs the file containing the password and just needs to be viewed to obtain the it. Well done you just completed basic 8!

Hack This Site (HTS) Basic 7

The password is hidden in an unknown file, and Sam has set up a script to display a calendar. Requirements: Basic UNIX command knowledge.

"This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script:"

In this mission we are told that input in one field would be used as arguments for the unix cal command which prints calendar dates dependent on the input it gets given. The biggest clue they give here is that it tells you that when you click the "view" button the server will execute a unix command. Hopefully at this point you should start to be thinking of the types of things that could be done. The reason we googled how to group commands is because you can't just input a command into the field and hope it gets executed. The cal command expects particular data and the command is going to get executed regardless of what you do, except if you give it just a command such as "ls" (to list a directory in *nix) the command will just fail.

As we work our way through the list of methods to execute shell commands we are crossing out the ones that are not applicable and are hopefully learning something about the ways you can group commands together. The first entry was for single commands which is not what we need as the cal command is already being executed and we need a secodn one on top of that.

The second option is interesting! Mid writing this article it occurred to me that this option whereby commands are seperated via ';'s should work and on testing this method can also be used. An input of "; ls;" also gives the same output. This is the kind of thing you need to be doing; always trying new things and thinking about other ways tasks can be achieved.

The third is to use pipes but this option is not usable as, as it states in the pdf, the "output of command 1 is input to command 2" and calendar dates is not usable input for ls.

Finally, we use the && operator. The reason we use the input "&& ls" is because if the cal command is executed with no arguments it retuns the dates in the current month so we know the command will execute successfully. And as the "&&" operators rely on the command to its left hand side to be successful in order for itself to be excuted we know it always will be. The rest of the tutorial is fairly slef explanitory.

Just to note, although the commands we are allowed to execute are limited for the sites own security, we can still have a little play. Input such as "; ls; cal 2011" or "&& ls && cal 2011" still execute :)

Hack This Site (HTS) Basic 6

An encryption system has been set up, which uses an unknown algorithm to change the text given. Requirements: Persistence, some general cryptography knowledge.

"Network Security Sam has encrypted his password. The encryption system is publicly available and can be accessed with this form."

This mission is fairly simple but is completed using an ascii chart and notepad. By entering something like 00000 into the encrypt field we notice that the returned sting is 01234. This tells us that the encryption scheme is to add its place value in the string to itself. As in computing we start from 0 the first characters place value is 0 and the value is not changed. The second 0's place value is 1 and so 1 is added to 0 to make 1, and so fourth. This also applies to characters. The string aaaaa gets changed to abcde. This is because ascii characters are just the character representation of numerical values. So now we know what the encryption scheme is we now need to decrypt. This simply requires reversing the encryptino scheme; minus the place value instead of adding it.

The string I have been given to decrypt is 41die;79. By implementing the decryption scheme the string value i now get is: 40bfa612

Hack This Site (HTS) Basic 5

Similar to the previous challenge, but with some extra security measures in place. Requirements: HTML knowledge, JS or FF, an email address.

"Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.
"

The method used for this tutorial is the same as the one used in Basic 4: http://crackandsecure.blogspot.com/2011/04/hack-this-site-hts-basic-4.html

Hack This Site (HTS) Basic 4

An email script has been set up, which sends the password to the administrator. Requirements: HTML knowledge, an email address

"This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:"

In this mission Sam is once again using hidden values to make his login scripts work. He is relying on the value of the hidden field "to" to not be altered and so a value change of this field results in the password being revealed. I was hoping that HTS might actually email you the password but we can all dream!

Hack This Site (HTS) Basic 3

Some intuition is needed to find the location of the hidden password file. Requirements: Basic HTML knowledge

"This time Network Security Sam remembered to upload the password file, but there were deeper problems than that."

In this mission Sam uses a hidden value in his password submission form that reveals the location of the password. By navigating to this location the password is revealed in plaintext.

Hack This Site (HTS) Basic 2

A slightly more difficult challenge, involving an incomplete password script. Requirements: Common sense:

"Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file..."

This mission doesn't need any technical knowledge as the logic is simple. The password is held in a file in plaintext (unencrypted) but as Sam forgot to upload the file there is no password to check against.

Hack This Site (HTS) Basic 1

Basic test of your skills to see if you can do any of these missions. Requirements: HTML

"This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue. "

This is a video tutorial for http://hackthissite.org/ basic mission 1. As this is known as "The Idiot Test" no explanation will be given.

Simple Router Bypassing

This tutorial is going to explain how to gain access to a live router and what can be done to help prevent such access. The only tools you'll need for this will be an IP scanner; for this tutorial I'm using Angry Ip Scanner as it does exactly what I need and the GUI helps speed up the process a little bit but use what your comfortable with! This tool can be found at: http://www.angryip.org/w/Download

For this kind of hack you need a starting address which I usually use as my own so head to http://www.whatismyip.com/ and copy your IP address. Then load up your scanner and scan in the range from this address to this address but changing one of the octets to a different number. Perhaps start with changing the fourth and working your way down if your results show no alive hosts after each search. It is important to note here that you only want hosts that have port 80 or 8080 open. In Angry IP Scanner you can do this by going to Options -> Select Ports... -> and adding the two ports.

This would be a good point for an explanation on why we're doing this and kills some time whilst you're waiting for your search to finish. Every router has a web interface which is login secured that admins can use to alter the settings; hence why we're scanning ports 80 and 8080. Although other ports can be used for http these are the most common among average users. This is what we're trying to access and enter.

Once you've found an alive host copy the IP address and paste it to the address bar in your browser. There are times when the connection may timeout or get actively refused so just skip onto your next alive host. When you finally get a host that responds you should get taken to either a web page with a login area or be prompted to login straight away. This is where a bit of common sense is needed. Somewhere on the page you are visiting should be some form of information regarding the type of router. A simple Google of the product name or manufacture and keywords such as "router", "default" etc should reveal the vital information you need. For example, the first page returned whilst searching "netgear default router password" is: http://kb.netgear.com/app/answers/detail/a_id/1148/~/default-password-for-netgear-devices

And within the first couple of lines we are told that the default username and password are "admin" and "password" respectively; "1234" as the password on older models. Inputting this data into the fields should give you access to the router, however this is not guaranteed as all of this is based on the possiblilty that the owner of this router is not a techy.

There are two main reasons that this hack is possible:

• Product manufactures who are supplying equipment that will be used in almost every home are relying on the user themselves to deal with security issues.
• Most product manufactures are using defaults therefore users are not prompted to changed the username/password straight away and so are not aware that such a problem exists.

Some simple precautions that can be taken to prevent this kind of unauthorized access:

•   Change the defaults when setting up your router initially to a username/password that you can easily remember and that is not common.
• Enable MAC address filtering so that only computers who have been cleared to use the device are able to access the web interface. It must also be noted that this is not a complete prevention and there are ways around MAC address filtering but it is outside the scope of this tutorial to explain them.

The Important Introduction...

This blog space will be used to show via video and written tutorials how to use various different tools that are openly available on the web that can be used to break into systems and help secure them.

*Note ... Any form of cracking that takes place within these tutorials are done on equipment owned by myself, or on equipment where permission had been granted. If you are to try these techniques out yourselves I can only advise you to do the same, and cannot be held responsible for any reprepercussions that may occur if you don't.*

Check back soon for new posts!