Sunday, 24 April 2011

Hack This Site (HTS) Basic 9

The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.

"Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it."



This mission is almost identical to the previous and needs the same level of knowledge of SSI and directory traversal. You already know from the mission description that he has screwed up in allowing the viewing of files to only the level 8 directory and so you will need to go back to the level 8 mission to take advantage of the SSI injection vulnerability.

As a reminder I did a test input again to show you that your file gets saved into a temporary folder. In the last mission we executed the command "ls .." which took us from /missions/basic/8/tmp to /missions/basic/8 where the password file was kept. However, now we need to get to the 9th basic mission so not only do we need to jump back one more directory, we then need to jump into a new directory so the command becomes "ls ../../9". From here we have access to the new password file and mission 9 becomes completed :)

Hack This Site!
Posted by at No comments:
Labels:

Hack This Site (HTS) Basic 8

The password is yet again hidden in an unknown file. Sam's daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser)

"Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability."



In this mission we are told that knowledge of Server-Side Includes (SSI) is necessary in order to complete it. The first thing you must do therefore is google ssi and read up on it. There's no need for me to go into the ins-and-outs of what SSI is but in Layman's terms it allows you to dynamically execute code on a web page. After doing some research you should be fairly comfortable with what SSI is and how to use it. Knowledge of directory traversal is also needed for this mission.

From the description within the mission we know that "Stephanie" has created a php program that has an exploitable security flaw in it. So we first need to use that program and see what it does. As you can see it saves your input into a file in a temporary folder named "tmp" and then includes this file when after the "Hi, " statement. This is where our knowledge of SSI comes in.
We can presume at this point that the security flaw is that input does not get checked and that you can add your own SSI injection into the field that will be executed when included in "Stehpanie's" program. So we test it: "". Straight away we know that the input is not immediately checked as the file does get saved. From clicking on the link we can see that our arbitrary code gets executed and all the files in the "tmp" folder are displayed (because we used the *nix command "ls").

This is where our knowledge of directory traversal comes into play. At this point we know we can use SSI injections (although this is limited for the sites own security; any commands executed that aren't the right ones won't get executed and a message saying you're on the right tracks will be outputted). At the moment the "ls" command is outputting everything in the "tmp" folder but this is not the folder we want being outputted; we need to jump back a directory using "..". Therefore the new command is "". This outputs the file containing the password and just needs to be viewed to obtain the it. Well done you just completed basic 8!

Hack This Site!
Posted by at 2 comments:
Labels:

Monday, 11 April 2011

Hack This Site (HTS) Basic 7

The password is hidden in an unknown file, and Sam has set up a script to display a calendar. Requirements: Basic UNIX command knowledge.

"This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script:"



In this mission we are told that input in one field would be used as arguments for the unix cal command which prints calendar dates dependent on the input it gets given. The biggest clue they give here is that it tells you that when you click the "view" button the server will execute a unix command. Hopefully at this point you should start to be thinking of the types of things that could be done. The reason we googled how to group commands is because you can't just input a command into the field and hope it gets executed. The cal command expects particular data and the command is going to get executed regardless of what you do, except if you give it just a command such as "ls" (to list a directory in *nix) the command will just fail.

As we work our way through the list of methods to execute shell commands we are crossing out the ones that are not applicable and are hopefully learning something about the ways you can group commands together. The first entry was for single commands which is not what we need as the cal command is already being executed and we need a secodn one on top of that.

The second option is interesting! Mid writing this article it occurred to me that this option whereby commands are seperated via ';'s should work and on testing this method can also be used. An input of "; ls;" also gives the same output. This is the kind of thing you need to be doing; always trying new things and thinking about other ways tasks can be achieved.

The third is to use pipes but this option is not usable as, as it states in the pdf, the "output of command 1 is input to command 2" and calendar dates is not usable input for ls.

Finally, we use the && operator. The reason we use the input "&& ls" is because if the cal command is executed with no arguments it retuns the dates in the current month so we know the command will execute successfully. And as the "&&" operators rely on the command to its left hand side to be successful in order for itself to be excuted we know it always will be. The rest of the tutorial is fairly slef explanitory.

Just to note, although the commands we are allowed to execute are limited for the sites own security, we can still have a little play. Input such as "; ls; cal 2011" or "&& ls && cal 2011" still execute :)

Hack This Site!
Posted by at No comments:
Labels:

Hack This Site (HTS) Basic 6

An encryption system has been set up, which uses an unknown algorithm to change the text given. Requirements: Persistence, some general cryptography knowledge.

"Network Security Sam has encrypted his password. The encryption system is publicly available and can be accessed with this form."

This mission is fairly simple but is completed using an ascii chart and notepad. By entering something like 00000 into the encrypt field we notice that the returned sting is 01234. This tells us that the encryption scheme is to add its place value in the string to itself. As in computing we start from 0 the first characters place value is 0 and the value is not changed. The second 0's place value is 1 and so 1 is added to 0 to make 1, and so fourth. This also applies to characters. The string aaaaa gets changed to abcde. This is because ascii characters are just the character representation of numerical values. So now we know what the encryption scheme is we now need to decrypt. This simply requires reversing the encryptino scheme; minus the place value instead of adding it.

The string I have been given to decrypt is 41die;79. By implementing the decryption scheme the string value i now get is: 40bfa612

Hack This Site!
Posted by at 1 comment:
Labels:

Sunday, 10 April 2011

Hack This Site (HTS) Basic 5

Similar to the previous challenge, but with some extra security measures in place. Requirements: HTML knowledge, JS or FF, an email address.

"Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.
"

The method used for this tutorial is the same as the one used in Basic 4: http://crackandsecure.blogspot.com/2011/04/hack-this-site-hts-basic-4.html

Hack This Site!
Posted by at No comments:
Labels:

Hack This Site (HTS) Basic 4

An email script has been set up, which sends the password to the administrator. Requirements: HTML knowledge, an email address

"This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:"



In this mission Sam is once again using hidden values to make his login scripts work. He is relying on the value of the hidden field "to" to not be altered and so a value change of this field results in the password being revealed. I was hoping that HTS might actually email you the password but we can all dream!

Hack This Site!
Posted by at 22 comments:
Labels:

Hack This Site (HTS) Basic 3

Some intuition is needed to find the location of the hidden password file. Requirements: Basic HTML knowledge

"This time Network Security Sam remembered to upload the password file, but there were deeper problems than that."



In this mission Sam uses a hidden value in his password submission form that reveals the location of the password. By navigating to this location the password is revealed in plaintext.

Hack This Site!
Posted by at No comments:
Labels:

Hack This Site (HTS) Basic 2

A slightly more difficult challenge, involving an incomplete password script. Requirements: Common sense:

"Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file..."



This mission doesn't need any technical knowledge as the logic is simple. The password is held in a file in plaintext (unencrypted) but as Sam forgot to upload the file there is no password to check against.

Hack This Site!
Posted by at No comments:
Labels:

Hack This Site (HTS) Basic 1

Basic test of your skills to see if you can do any of these missions. Requirements: HTML

"This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue. "



This is a video tutorial for http://hackthissite.org/ basic mission 1. As this is known as "The Idiot Test" no explanation will be given.

Hack This Site!
Posted by at No comments:
Labels:

Thursday, 7 April 2011

Simple Router Bypassing

This tutorial is going to explain how to gain access to a live router and what can be done to help prevent such access. The only tools you'll need for this will be an IP scanner; for this tutorial I'm using Angry Ip Scanner as it does exactly what I need and the GUI helps speed up the process a little bit but use what your comfortable with! This tool can be found at: http://www.angryip.org/w/Download

For this kind of hack you need a starting address which I usually use as my own so head to http://www.whatismyip.com/ and copy your IP address. Then load up your scanner and scan in the range from this address to this address but changing one of the octets to a different number. Perhaps start with changing the fourth and working your way down if your results show no alive hosts after each search. It is important to note here that you only want hosts that have port 80 or 8080 open. In Angry IP Scanner you can do this by going to Options -> Select Ports... -> and adding the two ports.

This would be a good point for an explanation on why we're doing this and kills some time whilst you're waiting for your search to finish. Every router has a web interface which is login secured that admins can use to alter the settings; hence why we're scanning ports 80 and 8080. Although other ports can be used for http these are the most common among average users. This is what we're trying to access and enter.

Once you've found an alive host copy the IP address and paste it to the address bar in your browser. There are times when the connection may timeout or get actively refused so just skip onto your next alive host. When you finally get a host that responds you should get taken to either a web page with a login area or be prompted to login straight away. This is where a bit of common sense is needed. Somewhere on the page you are visiting should be some form of information regarding the type of router. A simple Google of the product name or manufacture and keywords such as "router", "default" etc should reveal the vital information you need. For example, the first page returned whilst searching "netgear default router password" is: http://kb.netgear.com/app/answers/detail/a_id/1148/~/default-password-for-netgear-devices

And within the first couple of lines we are told that the default username and password are "admin" and "password" respectively; "1234" as the password on older models. Inputting this data into the fields should give you access to the router, however this is not guaranteed as all of this is based on the possiblilty that the owner of this router is not a techy.

There are two main reasons that this hack is possible:
  • Product manufactures who are supplying equipment that will be used in almost every home are relying on the user themselves to deal with security issues.
  • Most product manufactures are using defaults therefore users are not prompted to changed the username/password straight away and so are not aware that such a problem exists.
Some simple precautions that can be taken to prevent this kind of unauthorized access:
  •   Change the defaults when setting up your router initially to a username/password that you can easily remember and that is not common.
  • Enable MAC address filtering so that only computers who have been cleared to use the device are able to access the web interface. It must also be noted that this is not a complete prevention and there are ways around MAC address filtering but it is outside the scope of this tutorial to explain them.
Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)