Today, we are looking at Hack This Site Realistic Mission level 2 where we need to hack the Nazis. Personally, I loved this mission. It’s much more immersive than the basic challenges as the website you need to hack could be real. While the web application only has two pages, the main page sets the tone instantly. In order to complete this mission, we need to perform an SQL Injection on the login page of the Nazi Web Application. Please check out my article on Realistic 1 if you haven’t already done so.
Navigating to Realistic 2 presents you with a message from someone called DestroyFacism. They have heard we are a good hacker and want our assistance taking care of the Nazis. The Nazis are organizing a hate rally against immigration. We can’t have that, let’s take them down.
Exploring The Web Application
Loading their web application, the symbolism is strong. If you’re easily offended by Nazi symbolism then maybe this one isn’t for you. Personally, I love the fact that I’m getting to hack the Nazis, it feels so freaking cool. Anyway, back to the technical stuff. The website appears to be basic, there is no interaction other than the images. I don’t recommend clicking on them as they do link to a real Nazi website.
As there isn’t much going on at the surface, let’s look at what’s going on under the hood. There isn’t much to see except for a URL which we didn’t see on the main page. The URL references a page called update.php, as the main page is likely index.html or index.php we can assume this is a different page.
Navigating to update.php, we get a login form. This is going to be the method we use to hack the application. There could be a number of techniques used to hack it (such as brute-forcing), but we should test if the application is vulnerable to SQL injection. In order to do this, we can use a single quotation mark to escape the login forms SQL query and append our own data to the query.
Web Application Hack
Submitting a single quotation mark to the application caused it to error. This means the application isn’t using prepared statements for SQL queries. To elaborate, prepared statements use placeholders such as question marks to reference SQL queries. This means that the SQL query can’t be escaped because it is being called by the placeholder. However, as this application produced an SQL error it most definitely isn’t using prepared statements which means we can hack it.
By entering a value and escaping it with a single quotation mark, we can append our own SQL query to the current query. The value we are going to append is ‘or 1=1 — ‘. This value will help us bypass the authentication because the answer is true. 1 does equal 1 so the SQL server will allow us to access the area of the application that the login form was protecting.
After submitting the value you will have completed the mission. This is by far one of the best missions I’ve come across doing labs. It’s an easy lab but the theme of it is brilliant, who wouldn’t love to hack Nazis. It also uses a practical exploit which is still common in the wild. Injection attacks were number 1 on the OWASP top ten up until recently. The lesson that can be learned from this is to use prepared statements when your web application needs to query a SQL server.