Category: Realistic

Hello world, welcome to haxez where today we’re looking at Hack This Site Realistic Web Mission Level 6. I’ve been putting this mission on hold to try and write a bash script to decrypt the encryption. However, after several attempts at writing it and not making much progress, I decided to use somebody else’s script. I understand how the algorithm works and how to reverse it. However, writing something to reverse was proving harder than anticipated. If you haven’t seen my other posts on the realistic series you can do so here: Part 1, Part 2, Part 3, Part 4, and Part 5.

Realistic 6 Introduction

We have a message from ToxiCo_Watch. They explain that they have been sniffing their companies network due to a toxic waste scandal. They believe that the company has paid off the inspectors but want evidence to prove it. During their network sniffing, they were able to capture, what they believe to be an encrypted message. However, they are having trouble decoding the message and have asked us to help.

Realistic 6 Encrypted Message

ToxiCo_Watch has provided us with a link to a web application that contains the encoded message. The application also contains a link to the web application tool used to encode it. You can see from the image below that the message appears to be a full stop followed by three numbers. This pattern repeats until the end of the message.

Web Encryption Tool

If we head over to the link provided, we have an input box for the text to be encrypted. We also have an input box for the encryption password. If we submit a value without a password, we get some numbers at the top of the screen (4, 44, 49). If we add these numbers together we get 97. 97 is the ASCII decimal number for the letter A, we can repeat this process for other letters and get their corresponding ASCII decimal values returned. However, when we add a value to the encryption password box, the value changes. The value supplied to the encryption password box is also being converted to an ASCII decimal which is being added to the value of the submitted text ASCII value. It is then being split into three numbers which when calculated equals the ASCII value of the text plus the encryption password.

Web Decryption Tool

Provided I explained the encryption process well enough, I should be able to explain how to decrypt it. First, I was going to copy the encoded message into a text file. Second, I was going to use sed to remove the full stops or periods. Third, I was going to use a loop with “expr substr” to pull 3 characters from the file. I was also going to us a variable that incremented 3 digits to jump to the next three characters. Fourth, I was going to calculate the value of the three numbers. Fith, I was going to subtract an incrementing value (representing the encryption password) from the total value. The script would then echo the results to the terminal.

This should have allowed me to identify the correct conversion. However, the script hasn’t gone as planned. I haven’t had as much time to work on it as I would have liked due to other commitments. Fortunately, my programming incompetence can be bypassed by using somebody else’s programming genius. Graeme Robinson’s blog has a great JavaScript solution which we can use to decode the message.

Emailing The Client

Once we have the decoded information, we can send it in a message to ToxiCo_Watch. This should complete the challenge. I hope you can forgive me for not writing my own script to solve this one. I had a basic proof of concept ready but just haven’t had the time to complete it. Perhaps I will in the future and then update this blog.

Hello world, welcome to haxez where today we’re are looking at Hack This Site Realistic Mission 5. This is a fun challenge that requires you to enumerate the web application and then cracked the discovered hashes. In order to solve this mission, you will need some basic knowledge of how Linux web servers work and some knowledge of what password hashes are and how to crack them. If you haven’t seen my other posts on the realistic series you can do so here: Part 1, Part 2 and Part 3.

The purpose of this mission is to hack a password for a telemarkets website. With that password, we are to desotry the database thus restoring privacy to the lives of their victims. In order to get the password, we will need to explore the web application to look for clues. Upon logging in we receive the following communication from

Exploring The Realistic 5 Web Appliation

Spiffomatic64 has given us a link to the telemarketer’s application. Visting the web application presents us with the page depicted in the image below. The application has some basic functionality such as a news page, a contact page, and a database page.

Navigating to the news page tells us a lot about the application. Probably more than the creator should have told us. For instance, they inform us that the website was previously hacked. They also inform us that google was grabbing links it shouldn’t so they have taken extra precautions. In order to stop google indexing certain parts of a web application, you can add a Robots Exclusion Standard file to the root of your domain. By adding URLs to the robots.txt file you are telling Google you don’t want those URL’s indexed the next time it crawls the application.

Delving Deeper

Navigating to the robots.txt file we can see that the file is telling all User-Agent (denoted with the asterisk) to disallow indexing of /lib and /secret. Search engine spiders have their own User-Agents that allow applications to identify them and whitelist them. See my post on User-Agent switching on how this could be abused.

Navigating to each of these directories reveals some interesting files. Firstly, in the secrets directory, we have an admin.bak.php file and an admin.php file. We can deduce that the admin.bak.php is likely a backup of the admin.php file. Attempting to access the admin.php file results in an incorrect password warning. This allows us to conclude that the admin.php page is the page we’re attempting to gain access to.

Moving forward, let’s take a look at the admin.bak.php file. I’ve downloaded a copy of this file to my virtual machine and used the cat command to display the contents. We can see from the file that there is a reference to MD4. MD4 is a hashing algorithm that was used to hash passwords. Hashing passwords attempts to protect passwords in the event that they are leaked.

The Application Hack

Going back to the robots.txt file there was another directory called lib. Navigating to this directory shows a file called hash. If we download this file and view the contents it appears as if we have recovered a password hash of “51ba17c17338c1031e11432dfb47105a”.

Based on the information we found in the admin.bak.php file, we can safely assume that the hash is an MD4 . Fortunately, MD4’s are a fairly old hashing algorithm and can be cracked easily. I attempted to crack the hash online using crackstation.net and a few other sites but it appears the sneaky admin’s over at Hack This Site like to change the hashes periodically, and this hash hadn’t been cracked before. So in order to crack the hash we needed to contact our old friend John. Using John The Ripper I specified the format of MD4 and told John which file to crack. Normally I would specify a wordlist but I left John to use his default one. The command to crack the hash is as follows.

john --format=raw-MD4 <file-to-crack>

Once the correct password has been recovered, you can head over to the database link on the main page and paste it in. This should complete the mission.

Hello and welcome to haxez, today we’re looking at Hack This Site Realistic Web Mission Level 4. I liked this challenge although I was confused about the syntax used to complete the mission. The mission requires you to perform a UNION ALL SQL Injection in order to grab email addresses from a database. Once you have the email address, you need to email them to the client. If you haven’t seen my other posts are the realistic series you can do so here: Part 1, Part 2 and Part 3.

The mission should you chose to accept it is to hack the FAP website and steal the email addresses of everyone on the mailing list. Why?, because FAP kills animals to sell their pelts to rich customers. SaveTheWhales has kindly asked us if we can get the mailing list and send it to him so that he may “contact them”.

Exploring The Realistic 4 Website

Visiting the website, you’re greeted with a fairly simple page that explains what the web application is about. There is a submission box to add your email address to the mailing list. There are also two links, one to Fur Coats and one to Alligator Accessories (poor Alligators). We could try attacking the mailing list submission system but for now, let’s continue exploring the application.

Following the Fur Coats and Alligator Accessories links takes you to the corresponding product pages. These pages appear to be dynamic, as though they were being generated by an SQL Query. If we look at the structure of the page, it can be broken down into three database columns Picture, Description, and Price. We can also assume that there is a table for email addresses.

The Website Hack

Although the application didn’t error when appending a single quotation mark. We can still attempt to perm a UNION SQL injection. The syntax for the specific SQL injection to retrieve the data confuses me slightly. For example, W3Schools and Portswigger have excellent articles on UNION SELECT and UNION SQL injections. W3Schools explains that the difference between UNION SELECT and UNION ALL SELECT is that UNION ALL SELECT will include duplicate values whereas, UNION SELECT won’t. The information that we exfiltrate from the database doesn’t have duplicate values but the UNION SELECT injection doesn’t work. Furthermore, Portswigger has a number of examples and they all start with a single quotation mark to break out of the existing SQL query. Adding a single quotation mark to the UNION ALL SELECT command here doesn’t work. I’m probably misunderstanding what’s going on but feel free to leave me a comment.

Anyway, back to the hack. So we know there are likely three table columns. One for the product picture, one for the product description, and one for the product price. We also know that there is likely a table called email, or emails. With this information, we can structure our UNION ALL SELECT command.

SQL Injection

Firstly, in order to perform an SQL injection on realistic 4, we need to tell the application what type of query we’re performing.

UNION ALL SELECT

Secondly, we tell the database what columns we want and what column we want to inject our data into. This works with both columns two and three. However, if you inject it into column two your font will be normal but if you inject it into column three your font will be bold. This matches the formatting of the website.

NULL, *, NULL, NULL

Finally, we tell it where we want to query the data from. For example, we want to pull the data from the email table. We also need to end the query with a semicolon.

FROM EMAIL;

Put it all together and you should have an SQL injection that looks like the following.

UNION ALL SELECT NULL, *, NULL, NULL FROM email;

Moving forward, we need to append the SQL injection to the end of the URL after the 1. The query should look something similar to the image below depending on your injection point and the case of your characters.

Once you have done that, hit return on your keyboard and you should see the web application load with some additional information. The email addresses from the mailing list have been included with the product queries.

Copy the email addresses from the page and head back to the main HackThisSite website. Click your name on the left-hand side and then when your profile loads, click it again. You will now a send message box. Change the recipient to SaveTheWhales and send them the list of email addresses that you hacked from the FAP website.

That’s it, you should now have completed this mission. This was a fun mission that uses a practical exploitation technique in the form of a UNION-based SQL injection. While I argue that the syntax is a bit odd and will wait for someone to correct me before changing my mind, it is a good example. What we can learn from this is that queries to back-end databases should use prepared statements. Use prepared statements!!!

Anyway, thats Realistic 4 hacked and that’s it for today. I hope you enjoyed it. Please check out the video and I will see you next time.

Hello world, welcome to haxez where today we are looking at Hack This Site Realistic Mission number 3. This mission requires knowledge of website structures and how web forms work. To summarise, It’s a fun mission but some of the syntax is incorrect unless I’m mistaken. If you haven’t seen my other posts are the realistic series you can do so here: Part 1, and Part 2.

Upon navigating to realistic mission 4, you are greeted with the following message from PeacePoetry. The message explains that she has built her own site to submit and share peace-related poetry. However, someone has hacked her website and posted pro-war propaganda. She has asked whether we can hack her website to restore the original content.

Exploring The Realistic 3 Website

Upon visiting the website, we’re presented with a title that says the page has been hacked. There is a picture of a majestic and patriotic eagle. The website doesn’t have much functionality other than that.

There isn’t much going on at the surface level. Let’s dig a little deeper and see what is going on in the page source. As shown below, the image shows the page source and that the hackers kindly left a message to inform us where the old site was located. As a result, the old site can be found at oldindex.html.

If we navigate to the oldindex.html, we find the original website. Furthermore, It has a bit of dynamic functionality that allows you to submit and read poems. The Poem submission system appears to write the poems directly to the directory where the website is located. We can use the Poem submission system to restore the hacked website.

Restore Website Hack

If you head back to the oldindex.html page, you can view the page source. Select all of the page source and copy it to your clipboard or save it in a notepad document. Once you have it copied, head back to the poem submission system.

Paste the page source for the oldindex.html page into the Poem content box. In addition, name your Poem ../index.html. I’m not sure why we need to step up a directory to overwrite the current index.html page. Looking through the website content, everything appears to be stored in the /3/ directory. It shouldn’t require directory traversal to overwrite the page. I digress, with the name of the poem as ../index.html, it should overwrite the currently hacked index.html with the page source of the original website. This won’t fix the vulnerability. However, it will bring the old site back as the primary page.

Clicking submit will solve the challenge

Hello world, welcome to haxez where today we are looking at Hack This Site Realistic Mission level 2 where we need to hack the Nazis. Personally, I loved this mission. It’s much more immersive than the basic challenges as the website you need to hack could be real. While the web application only has two pages, the main page sets the tone instantly. In order to complete this mission, we need to perform an SQL Injection on the login page of the Nazi Web Application. Please check out my article on Realistic 1 if you haven’t already done so.

Navigating to Realistic 2 presents you with a message from someone called DestroyFacism. They have heard we are a good hacker and want our assistance taking care of the Nazis. The Nazis are organizing a hate rally against immigration. We can’t have that, let’s take them down.

Exploring The Realistic 2 Web Application

Loading their web application, the symbolism is strong. If you’re easily offended by Nazi symbolism then maybe this one isn’t for you. Personally, I love the fact that I’m getting to hack the Nazis, it feels so freaking cool. Anyway, back to the technical stuff. The website appears to be basic, there is no interaction other than the images. I don’t recommend clicking on them as they do link to a real Nazi website.

As there isn’t much going on at the surface, let’s look at what’s going on under the hood. There isn’t much to see except for a URL which we didn’t see on the main page. The URL references a page called update.php, as the main page is likely index.html or index.php we can assume this is a different page.

Navigating to update.php, we get a login form. This is going to be the method we use to hack the application. There could be a number of techniques used to hack it (such as brute-forcing), but we should test if the application is vulnerable to SQL injection. In order to do this, we can use a single quotation mark to escape the login forms SQL query and append our own data to the query.

Web Application Hack

Submitting a single quotation mark to the application caused it to error. This means the application isn’t using prepared statements for SQL queries. To elaborate, prepared statements use placeholders such as question marks to reference SQL queries. This means that the SQL query can’t be escaped because it is being called by the placeholder. However, as this application produced an SQL error it most definitely isn’t using prepared statements which means we can hack it.

By entering a value and escaping it with a single quotation mark, we can append our own SQL query to the current query. The value we are going to append is:

'or 1=1 --

This value will help us bypass the authentication because the answer is true. 1 does equal 1 so the SQL server will allow us to access the area of the application that the login form was protecting.

After submitting the value you will have completed the mission. This is by far one of the best missions I’ve come across doing labs. It’s an easy lab but the theme of it is brilliant, who wouldn’t love to hack Nazis. It also uses a practical exploit which is still common in the wild. Injection attacks were number 1 on the OWASP top ten up until recently. The lesson that can be learned from this is to use prepared statements when your web application needs to query a SQL server.

Hello world, welcome to haxez where today today we are looking at the Hack This Site Realistic Web Mission level 1. This mission requires the hacker to modify the source of the web application to modify its behavior. The reason behind the hack is to increase the rank of the band Raging Inferno. This hack uses a similar technique to one of the basic missions where we had to modify Sam’s email address to send the email to ourselves. If you want to read my posts about the basic missions, you can do so here.

Navigating to realistic mission 1, you are presented with a message from HeavyMetalRyan who explains that he made a bet that his band would be ranked first. Unfortunately, two of his band members died in an accident but the person he made the bet with insists the bet is still on. HeavyMetalRyan would like us to hack the web application so that his band is at the top of the chart.

Exploring The Realistic 1 Web Application

The functionality of the application appears to be basic. Each band is listed and has a voting option next to them. The voting option allows the user to submit a score between one and five. There doesn’t appear to be any other functionality on the application other than links to the band.

HeavyMetalRyan said in his message, that his band is called Raging Inferno. So far, they don’t appear to have the most rave reviews. Using the voting system appears to submit the value of the selected number back to the server. In order to hack the application, we will need to view the page source.

Web Application Hack

In order to “hack” the application, we need to look at the page source and make some modifications before submitting the vote. This can be done in many browsers by right-clicking on the page and selecting view source from the context menu. The image below shows the page source before modification. You can see that option 5 has a value of 5. When the vote button is pressed, the value 5 will be recorded as the vote.

In order to complete this challenge, we need to modify the value of 5 to a significantly higher value. This means that when the vote button is clicked, the higher value will be submitted rather than the value of 5. The image below shows the page source after the modification has taken place.

Once the value has been modified, we can select the option that we have modified and click the vote button. This should send the modified value back to the server instead of the originally intended value.

With the vote submitted you should have now completed the challenge. I hope you enjoyed this post but please check out the video if you would prefer to watch a demonstration.