Hack This Site: Realistic Web Mission – Level 11

Hack This Site Realistic 11

Howdy, thanks for visiting HaXeZ. Today we’re looking at Hack This Site Realistic Web Mission Level 11. I didn’t enjoy this challenge as much as the others. The reason why is because this mission no longer works as intended. I suspect this may be due to improvements in browser security or changes made to the application by its creator. The challenge previously required you to steal cookies through your user agent. However, that no longer appears to be a requirement. If you haven’t seen my other posts on the realistic series you can do so here: Part 1Part 2Part 3Part 4Part 5Part 6Part 7 and, Part 8

Hack This Site: Realistic Web Mission – Level 11
Hack This Site: Realistic Web Mission – Level 11

Introduction

We’ve received a message from Space46 who explains that their ISP has suspended their web application because they suspected him of hacking another website on the server. He has requested that we recover a backup of his website which is still hosted on the server. The backup file is called “src.tar.gz”.

Message From Space46
Message From Space46

Exploring The Web Application

Navigating to the web application we can see it looks like a basic hosting provider’s website. There’s a number of navigation options but none of them appears to link to anything interesting. There’s a webmail page which we could attempt to brute force if we can’t find anything else.

Budget Serv Web Application
Budget Serv Web Application

OS Command Injection

One thing that caught my eye was the way in which the application was calling pages. There appears to be a Perl script that is calling different files with the page parameter. You can see an example of the Perl script calling the features page below.

https://www.hackthissite.org/missions/realistic/11/page.pl?page=features

We can attempt to exploit this functionality and use it to our advantage by changing the value of the page parameter to a Linux operating system command. In this instance, we’re going to use the ‘ls‘ command to list out the contents of the current directory.

https://www.hackthissite.org/missions/realistic/11/page.pl?page=|ls|

As you can see from the screenshot below, the command worked and we can see the contents of the directory. We should take note of all the files listed as they could help us in the future.

Web Application – OS Command Injection

Further Exploration

The results of the OS command injection showed an admin directory. Navigating to that directory reveals a login page. Unfortunately, we don’t have any credentials for it yet so we will have to explore the web application further.

Web A
Web Application – Service Panel Login

The next file in the listing is a ‘bs.dbase‘ file which appears to be a database file. Needless to say, we can’t access it but we should remember the name for later. The next directory is the ‘client_http_docs‘ directory which appears to be the directory that contains all the web applications that are being hosted. Navigating to this directory shows a number of directory listings include ‘space46‘. Sadly, attempting to access this directory produces an error message informing us that the application has been suspended.

Web Application - Directory Listing
Web Application – Directory Listing

The other directory appears to serve applications. One of these applications is The Wonder Diet as shown in the image below. Another is about a potato which is still under construction. Browsing these applications didn’t appear to offer anything that we could exploit.

The Wonder Diet

The Right Web Application

The ‘rightwayradio‘ directory contains what appears to be a radio web application. It appears to have some basic functionality including a login form. There’s also a message on the landing age from the user ‘rsmith‘. If we click on that user it takes us to the User Info page about that user.

The Right Way Radio Web Application
The Right Way Radio Web Application

Exploiting Web Application Users

If we look at the URL we can deduce that the user page is being called by the id parameter in the ‘userinfo‘ script. Furthermore, we can see that the user ‘rsmith‘ has a user id of -1. If we experiment with the parameter, we can retrieve other users’ information.

client_http_docs/therightwayradio/?page=userinfo&id=-1

By changing the value of the parameter from -1 to 0, we can retrieve the page for the user ‘aclu_bomber_08290‘. As can been seen from the image below, we also have the ability to change that user’s password. Initially, I thought this was absurd as we had not authenticated. However, I have seen a lot of odd application behaviors so this shouldn’t have surprised me that much.

Admin User
Admin User

Web Application SQL Functionality

After changing the user’s password, we’re able to log in to their account. Their account appears to have access to a moderation page that has an input box for SQL queries. We also know, from our OS command injection, that there was a database file called ‘bs.dbase‘.

Web Application - SQL Query
Web Application – SQL Query

If we view the page source of the application, we can see that there is a hidden parameter called ‘sql_db‘ which has the value of ‘rwr.dbase‘. This is not the database we want to query.

Web Application Page Source

However, we can modify the parameter to tell it to query the database that we want to query. We also know the location of the database because our OS command injection was run in the root of the application. By modifying the parameter and telling it to move up three directories, we should be able to query the main database.

Modified Form
Modified Form

Dumping Web Users

As this is an SQL Lite database, we need to query the ‘sqlite_master‘ table to find out what tables are held within the database. We can do this by running the command below. I have included the output which informs us that there is a table called ‘web_hosting‘.

SELECT name FROM sqlite_master WHERE type ='table';

name
web_hosting

Next, we can tell the database to dump the entire contents of the ‘web_hosting‘ table.

SELECT * FROM web_hosting;

As you can see from the screenshot and the table below, we were able to get a list of users, passwords, email addresses, and their ‘web_package‘ identifiers. We can see from this information that the user ‘wonderdiet‘ appears to be the administrator user. Their ‘web_package‘ id is 1 which suggests their site was the first site create. Additionally, they have admin in their email address.

Usernames and Passwords
Usernames and Passwords
web_packageweb_passweb_userweb_email
-1notofthisworldspace46[email protected]
4letgodsortitouttherightwayradio[email protected]
1suckereveryminutewonderdiet[email protected]
Users and Passwords

Accessing Admin Area

If we head back to the admin area that we discovered earlier. We should now be able to log in with the ‘wonderdiet‘ user and their password of ‘suckereveryminute‘. Once logged in to the admin area, we have a number of options including the ability to download a file.

Web Application - Admin Panel
Web Application – Admin Panel

By clicking the download link, we’re redirected to a page that shows the full path of the file being downloaded. We know from the directory listing and the filename given to us by the client where the file is located.

URL
URL

By modifying the URL to point to the ‘src.tar.gz‘ file, we should be able to download their backup file and complete the mission. I have included the full URL path to the file below.

https://www.hackthissite.org/missions/realistic/11/admin/d.pl?file=/var/www/budgetserv/html/client_http_docs/space46/src.tar.gz

Congratulations you should now have completed this mission.

Congratulations
Congratulations