Thanks for stopping by, today we’re looking at the Hack This Site Realistic Web Mission Level 7. This challenge was a lot of fun. Regardless of how old Hack This Site is, it’s still one of the most immersive platforms for testing your hacking skills. The techniques used are still relevant today. However, a lot of the vulnerabilities you would certainly hope not to find on big corporate websites. If you haven’t seen my other posts on the realistic series you can do so here: Part 1, Part 2, Part 3, Part 4, Part 5, and Part 6.
Navigating to this challenge, you will be sent a message from FreedomOfChoice. To paraphrase the message, they explain how they have found a hate speech website that’s asking for a hacking. The website is a homophobic website that likes to dictate how other people should live their lives. What’s concerning is how these issues are still relevant today despite these challenges being as old as they are. Progress is slow I guess. I digress, FreedomOfChoice would like us to hack into the admin area of the website which he suggests is hidden in the directory structure somewhere.
Exploring The Web Application
Upon visiting the application we are presented with the standard hate speech that the internet could use less of. That’s ok though, through our efforts this website is going to cease to exist. At first glance, the website appears to be fairly basic with only a few hyperlinks. We will need to delve a little deeper into the dark recesses of the application to find something we can exploit.
After clicking around the application, I noticed that it’s calling image files in a peculiar way. It’s peculiar because it appears to be performing local file inclusion to access a text file. The local file inclusion immediately sets off alarm bells. As you can see the showimages.php script has a parameter called file, which is calling patriot.txt.
If we navigate to patriot.txt, we can see that it has a list of images that are in the images directory. This is an odd way to embed images into a website. Perhaps, we can use it to our advantage.
Web Directory Listing Enabled
Navigating to the images directory and we have scored. As you can see, the image below shows a directory listing is enabled. Please note, One important element of Cyber Security is minimizing information disclosure. Having directory listing enabled could divulge information about the application such as its structure, the technologies being used, and even disclose other sensitive information through readable files. There appears to be an admin directory.
Attempting to access the admin directory gives us the expected Unauthorized error message. However, the login prompt appears to be being generated by an htaccess and htpasswd file combination. Previously, other challenges we have seen used an SQL-backed application login.
Exploiting The Web Application
At this point, it’s safe to assume that the application is using htpasswd for authentication. We also know that the file parameter was performing local file inclusion to get the image files. To summarise, perhaps we can use the local file inclusion to our advantage and list out the contents of the admin directory without authenticating.
In order to test this, I used a tool called DIRB. DIRB is a directory and file brute-forcing tool. The location of the admin directory is in /images/admin so I told DIRB to search that directory through the showimages.php?file= parameter.
Web Local File Inclusion
The image above shows the results from running DIRB. as you can see, DIRB found both the htaccess and htpasswd files hidden in the admin directory. What this also means, is that we can use the showimages.php?file= parameter to read the contents of those files. Let’s start with the htaccess file. As you can see from the picture below, the htaccess file is referencing the htpasswd file. This confirms our suspicion that it was being used for authentication.
Now, if we go and look at the htpasswd file. We can see that the htpasswd file contains a password hash for the administrator user. Perhaps, we can crack this password hash and use it to log in to the admin area of the application.
With the hash saved in a file called hash.txt, we spin up our Linux ParrotOS virtual machine and ask our dear old friend John The Ripper to crack it for us. I didn’t supply any flags, I just pointed John at the file and he got to work. John quickly identified that it was an MD5 hash. John also cracked the password surprisingly quickly given I was running it on a virtual machine. However, I assume that shadow is fairly high up in the default wordlist.
With the hash cracked and the password saved, we can navigate back to the /images/admin directory and see if our newly acquired administrator password works. When the login box pops up, input administrator for the username and shadow for the password. Click Sign In and you should be authenticated.
And with that, you should be done, congratulations you have now completed a realistic 7.
There is a fair bit to break down in this mission. Let’s get directory listing out the way as it’s something we have touched on before. Directory listing can expose sensitive information to the public. It’s fairly easy to turn off on most web servers and doing so will limit the amount of information a malicious actor could obtain about the environment.
Local file inclusion was the next technique that we used to gather information about the application. I’m pleased to see that the application was using the relative path rather than the absolute path. This minimized information disclosure but the problem was with the way the application was calling the image files. Rather than hard-coding them into the source, it was using a parameter. This allowed us to exploit the trust of that parameter and use it to call other files on the webserver.
Permissions were also lax. The parameter allowed us to access files that were in the admin directory which shouldn’t have been possible.
Anyway, I feel a bit like captain hindsight so with the challenge complete I hope you enjoyed this post. Check back soon for more hacking.