Howdy, thanks for visiting HaXeZ. Today we’re looking at Hack This Site Realistic Web Mission Level 11. I didn’t enjoy this challenge as much as the others. The reason why is because this mission no longer works as intended. I suspect this may be due to improvements in browser security or changes made to the application by its creator. The challenge previously required you to steal cookies through your user agent. However, that no longer appears to be a requirement. If you haven’t seen my other posts on the realistic series you can do so here: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7 and, Part 8

Introduction
We’ve received a message from Space46 who explains that their ISP has suspended their web application because they suspected him of hacking another website on the server. He has requested that we recover a backup of his website which is still hosted on the server. The backup file is called “src.tar.gz”.

Exploring The Web Application
Navigating to the web application we can see it looks like a basic hosting provider’s website. There’s a number of navigation options but none of them appears to link to anything interesting. There’s a webmail page which we could attempt to brute force if we can’t find anything else.

OS Command Injection
One thing that caught my eye was the way in which the application was calling pages. There appears to be a Perl script that is calling different files with the page parameter. You can see an example of the Perl script calling the features page below.
https://www.hackthissite.org/missions/realistic/11/page.pl?page=features
We can attempt to exploit this functionality and use it to our advantage by changing the value of the page parameter to a Linux operating system command. In this instance, we’re going to use the ‘ls
‘ command to list out the contents of the current directory.
https://www.hackthissite.org/missions/realistic/11/page.pl?page=|ls|
As you can see from the screenshot below, the command worked and we can see the contents of the directory. We should take note of all the files listed as they could help us in the future.

Further Exploration
The results of the OS command injection showed an admin directory. Navigating to that directory reveals a login page. Unfortunately, we don’t have any credentials for it yet so we will have to explore the web application further.

The next file in the listing is a ‘bs.dbase
‘ file which appears to be a database file. Needless to say, we can’t access it but we should remember the name for later. The next directory is the ‘client_http_docs
‘ directory which appears to be the directory that contains all the web applications that are being hosted. Navigating to this directory shows a number of directory listings include ‘space46
‘. Sadly, attempting to access this directory produces an error message informing us that the application has been suspended.

The other directory appears to serve applications. One of these applications is The Wonder Diet as shown in the image below. Another is about a potato which is still under construction. Browsing these applications didn’t appear to offer anything that we could exploit.

The Right Web Application
The ‘rightwayradio
‘ directory contains what appears to be a radio web application. It appears to have some basic functionality including a login form. There’s also a message on the landing age from the user ‘rsmith
‘. If we click on that user it takes us to the User Info page about that user.

Exploiting Web Application Users
If we look at the URL we can deduce that the user page is being called by the id parameter in the ‘userinfo
‘ script. Furthermore, we can see that the user ‘rsmith
‘ has a user id of -1. If we experiment with the parameter, we can retrieve other users’ information.
client_http_docs/therightwayradio/?page=userinfo&id=-1
By changing the value of the parameter from -1 to 0, we can retrieve the page for the user ‘aclu_bomber_08290
‘. As can been seen from the image below, we also have the ability to change that user’s password. Initially, I thought this was absurd as we had not authenticated. However, I have seen a lot of odd application behaviors so this shouldn’t have surprised me that much.

Web Application SQL Functionality
After changing the user’s password, we’re able to log in to their account. Their account appears to have access to a moderation page that has an input box for SQL queries. We also know, from our OS command injection, that there was a database file called ‘bs.dbase
‘.

If we view the page source of the application, we can see that there is a hidden parameter called ‘sql_db
‘ which has the value of ‘rwr.dbase
‘. This is not the database we want to query.

However, we can modify the parameter to tell it to query the database that we want to query. We also know the location of the database because our OS command injection was run in the root of the application. By modifying the parameter and telling it to move up three directories, we should be able to query the main database.

Dumping Web Users
As this is an SQL Lite database, we need to query the ‘sqlite_master
‘ table to find out what tables are held within the database. We can do this by running the command below. I have included the output which informs us that there is a table called ‘web_hosting
‘.
SELECT name FROM sqlite_master WHERE type ='table';
name
web_hosting
Next, we can tell the database to dump the entire contents of the ‘web_hosting
‘ table.
SELECT * FROM web_hosting;
As you can see from the screenshot and the table below, we were able to get a list of users, passwords, email addresses, and their ‘web_package
‘ identifiers. We can see from this information that the user ‘wonderdiet
‘ appears to be the administrator user. Their ‘web_package
‘ id is 1 which suggests their site was the first site create. Additionally, they have admin in their email address.

web_package | web_pass | web_user | web_email |
---|---|---|---|
-1 | notofthisworld | space46 | [email protected] |
4 | letgodsortitout | therightwayradio | [email protected] |
1 | suckereveryminute | wonderdiet | [email protected] |
Accessing Admin Area
If we head back to the admin area that we discovered earlier. We should now be able to log in with the ‘wonderdiet
‘ user and their password of ‘suckereveryminute
‘. Once logged in to the admin area, we have a number of options including the ability to download a file.

By clicking the download link, we’re redirected to a page that shows the full path of the file being downloaded. We know from the directory listing and the filename given to us by the client where the file is located.

By modifying the URL to point to the ‘src.tar.gz
‘ file, we should be able to download their backup file and complete the mission. I have included the full URL path to the file below.
https://www.hackthissite.org/missions/realistic/11/admin/d.pl?file=/var/www/budgetserv/html/client_http_docs/space46/src.tar.gz
Congratulations you should now have completed this mission.
