Hacking PHP Web Applications and Bypassing Authentication Mechanisms | Hack This Site – ExtBasic 6

Hello World and welcome to HaXeZ, today we’re going to be looking at Hack This Site ExtBasic 6. Solving this challenge requires some basic knowledge of PHP or any other language for that matter. It’s a simple challenge that shows how poorly coded web application authentication mechanisms can be bypassed.

The Challenge

The image below shows the PHP that makes up the authentication mechanism. Furthermore, This is the code that we need to exploit in order to bypass the authentication mechanism. The introduction text at the top explains that the sysadmin is a noob and that the script is located at http://moo.com/moo.php. Therefore, to solve this challenge we need to append the correct syntax to the end of the URL and submit it to the submission form.

The PHP Code
The PHP Code

The PHP Code

The snippet below is the exact code we’re going to be exploiting. Furthermore, there is no backend database to worry about, just some simple PHP logic that we can leverage for our own nefarious purposes.

<?php
        $user = $_GET['user'];
        $pass = $_GET['pass'];
        if (isAuthed($user,$pass))
        {
                $passed=TRUE;
        }
        if ($passed==TRUE)
        {
                echo 'you win';
        }
?>
        <form action="me.php" method="get">
        <input type="text" name="user" />
        <input type="password" name="pass" />
        </form>
<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

Breaking Down The Code

We’re going to break the code down line by line in order to solve this challenge. Once we understand what the code is doing, we will be able to use its own logic against it and bypass authentication.

First, the code starts with it a tag telling us what language it is.

<?php

Next, we have two variables being set from user input. The $user and $pass variables are populated by the values of ‘user’ and ‘pass’. This is more evident later on when looking at the HTML form.

$user = $_GET['user'];
$pass = $_GET['pass'];

This is where the logic beings. When the user submits their username and password, the data is passed to an if statement. If the values of the variables ‘$user’ and ‘$pass’ are correct then the variable ‘$passed’ is set to true.

if (isAuthed($user,$pass))
{
        $passed=TRUE;
} 

After that, the application uses another if statement to check whether the value of the variable ‘$passed’ is set to true. If ‘$passed’ is set to true then the application echos out “you win”. This also ends the first section of PHP.

if ($passed==TRUE)
{
        echo 'you win';
}
?>

Now, we move on to the HTML. This is the login form that the user will send when loading the page in their browser. It is fairly standard and just performs a get request to me.php. The contents of the get request or the values of the input for ‘user’ and ‘password’. The user input type is text and the password input type is password.

<form action="me.php" method="get">
<input type="text" name="user" />
<input type="password" name="pass" />
</form>

Finally, we have the last section of PHP. This is the function that checks to see whether the username and password are correct. This function compares the values of variables ‘$user’ and ‘$pass’ with the variables ‘$a’ and ‘$b’. If they match then it is the first if statement is executed.

<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

The Solution

With that rather long explanation out the way, we can now move on to solving the challenge. It’s pretty simple if you know how to PHP site URL’s work. We know that in order for us to authenticate, the variable ‘$passed’ needs to be set to ‘TRUE’

PHP allows you to specify variables and their contents in the URL. For example, a dynamic PHP website using a CMS like WordPress may have a URL like HTTP://site.com/index.php?page=1. The question mark indicates that what follows is a variable and in this case, the variable is ‘$page’. Furthermore, we can specify that we want the value of the page variable to be 1.

With this in mind, we can take the provided URL of HTTP://moo.com/moo.php and append a question mark followed by the variable passed equals TRUE, as seen below.

http://moo.com/moo.php?passed=TRUE

Submitting this to the input box will solve the challenge.

Hack This Site: Extended Basic – Mission 5

Dear Friend, welcome to HaXeZ where today we will be looking at the Hack This Site Extended Basic mission 5. This mission is another programming mission that requires you to review the contents of a PHP file and then subsequently a shell script that is used to edit the PHP file. There is an error in the shell script that prevents it from doing what it’s supposed to do. We need to fix it.

The Code

The image below shows the code that Sam has written. The introduction message advises that Sam created a function called safeeval to run commands. However, on the page, he neglected to use safeeval and use eval() instead. Furthermore, it explains that he wrote a shell script to go through the PHP file and replace all values of eval() with safeeval. Unfortunately, there is an error in the shell script that prevents the script from working.

Hack This Site Extbasic 5

The PHP Code

<?php
        include ('safe.inc.php');
        if ($access=="allowed") {
                eval($_GET['cmd']);
                if (!empty($_GET['cmd2'])) {
                        eval($_GET['cmd2']);
                }
        }
?>

The Shell Script

#!/bin/sh
rm OK
sed -E "s/eval/safeeval/" <exec.php >tmp && touch OK
if [ -f OK ]; then
        rm exec.php && mv tmp exec.php
fi

Hack This Site Extbasic 5 Code Breakdown

We don’t need to break down the PHP code as that is the code we’re trying to amend with the shell script. So let’s break the shell script down line by line.

First, as with all shell scripts, we get a comment to explain that it is in fact a shell script. Nothing out of the ordinary here.

!/bin/sh

Next, we have the ‘rm’ command which on Linux means to remove something and after a bit of research, it appears that it is the same on FreeBSD too. So this line is saying remove ok.

rm OK

The next line is using the sed (stream editor) command which appears to be what is substituting eval for safeeval. It is then passing the exec.php file to the sed command using a less than sign. After that, it appears to be taking the results of the sed command and appending them to ‘tmp’ and creating a file.

sed -E "s/eval/safeeval/" <exec.php >tmp && touch OK

Next, we appear to have some logic that checks if the command executed ok, and if it did it moves on to the next line.

if [ -f OK ]; then

Finally, the script removes exec.php and moves tmp to exec.php.

rm exec.php && mv tmp exec.php

Hack This Site Extbasic 5 Solution

The final line is the end of the if statement so we don’t need to explain that any further. Upon closer inspection and reading the Wikipedia page for sed it appears substitutions with sed requires 2 characters. First, it explains that in some cases you need to start the argument with -E. This is true on MacOS which is a variant of free BSD. We know Sam is using free BSD so the -E at the start of his sed statement is correct. However, we also need the characters s and g. The s character tells sed to substitute one word for the other (eval with safeeval). The g character tells it to do it globally. In short, Sam needs a g at the end of his sed statement to replace all instances of eval with safeeval. The correct syntax should be as follows.

sed -E "s/eval/safeeval/g" <exec.php >tmp && touch OK

Without the g, the script only replaces one instance of eval. The script has multiple instances of eval so the script files to complete its purpose. Fun challenge.

Hack This Site: Extended Basic – Mission 4

Dear Friend, welcome to HaXeZ where today we will be looking at the Hack This Site Extended Basic mission 4. This mission is another programming mission that requires you to examine the source code of an application to determine its output. Again, please be advised that I’m terrible at programming so my explanation might be terrible.

The Code

The image below shows the introduction message and explains that sometimes we may need to decipher a language. Furthermore, it explains that sometimes the language may not be on google or encrypted in some way.

Below that we can see there appears to be a user input of the numbers 6 and 7.

Hack This Site: Extended Basic – Mission 4
Hack This Site: Extended Basic – Mission 4

We then have a number of lines of code that appear to perform operations on the user-submitted values.

The Solution

As with Extended Basic 3, I’m going to attempt to break this down line by line and explain what is happening.

BEGIN F.ake

This appears to be the start of the program. I don’t think there is much more to it than that other than indicating the start of the program.

var int as in

What this appears to be doing is assigning whatever value the user has submitted to the variable var. The ‘in’ is the user input and var is the variable name. In this case, the value will be 6.

int var as in

This is similar to the line above and is assigning whatever the user submits to a variable called ‘int’. Again the ‘in’ part of the statement appears to be the user input prompt. In this case, the value will be 7.

out var int

Finally, the script is printing or echoing both the variables ‘var’ and ‘init’ to the screen meaning it should output 67.

Extended Basic – Mission 4 Conclusion

I can’t think of any other way to solve this or what any of the other parts of the code would be doing, other than what I have explained. I hope this has helped you solve the challenge. Feel free to check out parts 1 to 3 and drop by my youtube channel and subscribe.

Hack This Site: Extended Basic – Mission 3

Hello world and welcome back to HaXeZ, thank you for surfing by. This post is a walkthrough of the Hack This Site Extended Basic Mission 3. The purpose of this challenge is to deduce the function of a bespoke programming language’s application. A basic understanding of programming and assigning variables is required for this challenge. However, I’m terrible at programming and was still able to solve the challenge.

The Function

As mentioned above, the image below informs the user that the challenge creator has created a bespoke programming language. In order to solve the challenge, we need to walk through the application step by step and determine the output.

Extended Basic – Mission 3
Extended Basic – Mission 3

Therefore, I believe the best method of solving this challenge is to analyse each line individually and identify what it is doing.

The Solution

BEGIN notr.eal

Firstly, the application starts with ‘BEGIN notr.eal’. Granted, this appears fairly self-explanatory and denotes the start of the application.

CREATE int AS 2

Secondly, it appears as though the application is creating an integer with the value of 2. However, as with other programming languages, the position of ‘CREATE’ suggests it is more likely that the integer value of 2 is being assigned to the variable ‘CREATE’.

DESTROY int AS 0

Thirdly, the same can be said about the ‘DESTROY’ variable. This could easily be mistaken for a function of the program. However, since this function isn’t previously described in the program, I’m going to assume that an integer value of 0 is being added to the variable ‘DESTROY’.

ANS var AS Create + TO

Fourthly, it would appear that the value of the ‘create’ variable (currently 2)  or ‘CREATE’ as previously written is being add to the ‘TO’ variable. I’m not too sure about this one but it resulted in the correct answer so my logic (however flawed) seems correct.

out TO

Finally, the value of the ‘TO’ variable is printed out to the screen. So in this instance the answer should be 2. If you submit that to the submission box then it should solve the challenge.

BEGIN notr.eal /* Starts the program
CREATE int AS 2
/* Adds the integer 2 to variable 'CREATE'
DESTROY int AS 0
/* Adds the integer 0 to variable 'DESTROY'
ANS var AS Create + TO
/* Appears to take the value of variable 'CREATE' and adds to varable 'TO'
out TO
/* Prints the value of 'TO'

Extended Basic Mission 3 – Conclusion

While my explanation might be incorrect, it resulted in the correct answer. Furthermore, I tried to solve the challenge in other ways but wasn’t able to. If we break the program down again and look at lines 2 and 3 we could infer that the program is simply creating an integer of 2 and then destroying it. If it destroys the integer then the value of the variable ‘TO’ would be 0 which is the wrong answer. I’ve also looked at whether ‘AS’ could be a variable but we end up with the same result of the value of the variable being destroyed and ending up with 0. There could be something else I’m missing and if you spot it then please let me know. Anyway this was a fun challenge, please check out my other posts in this series ExtBasic1 and ExtBasic2.

Hack This Site: Extended Basic – Mission 2

Hello friend and welcome to HaXeZ where we will be covering Hack This Site Extended Basic Mission 2. This challenge is fairly simple provided you have an understanding of application structures. It requires us to slightly modify the provided script in order to access the index.php page at the root of the web application. In order to do that we need to perform a directory traversal up two directories to grab the index.html page.

The Function

As you can see from the screenshot below, we have some fairly basic PHP code that is attempting to get the contents of the filename specified by the value ‘filename‘. Furthermore, it specifies the type of extension for the filename which in this case is ‘.php‘. Underneath the code, we have a submission box where we need to submit the solution to the challenge.

Extended Basic Mission 2 - The Function
Extended Basic Mission 2 – The Function

The Solution

Given these points, all we need to do to solve this mission is to tell the script to navigate up two directories. We are currently in the ‘extbasic‘ directory looking at the file named 2 ‘/missions/extbasic/2‘. So by traversing up two directories we should be in the root directory. Once there, we need to specify the ‘index.php‘, however the file extension ‘.php‘ has already been appended for us so we only need to specify the word index. The correct solution should be ‘../../index‘. Paste that into the check form and you should complete the mission and be able to proceed on to the next one.

Extended Basic Mission 2 - The Solution
Extended Basic Mission 2 – The Solution

Extended Basic Mission 2 – Conclusion

This is a simple but fun challenge that tests your knowledge of web application directory structures and code reading ability. While I wouldn’t have a clue how to write this off the top of my head, I easily worked out what the code is attempting to do. Once you understand what the code is doing, and you understand the rules of the mission then it’s fairly simple. This type of attack is known as a directory traversal attack and can be prevented by validating user input and by having strict permissions policies on directories. Anyway, I hope this helped you solve the mission.

Hack This Site: Extended Basic – Mission 1

Hello and welcome to HaXeZ where today we’re looking at Hack This Site Extended Basic Mission 1. The mission is titled “Over and Over?” and requires you to perform a buffer overflow to complete it. Upon navigating to the mission we are greeted with a message that explains that we have a C program that calculates the length of the user input. It goes on to explain that we need to crash the program. It also provides us with the source code of the application.

Extended Basic Missions
Extended Basic Missions

Mission 1 – Source Code

I’m not going to pretend I know the ins and outs of the C programming language. It was a bit before my time so I’ve never learned it. However, If we look at the source code we can see that it is declaring a standalone function using the void statement. Furthermore, we can deduce that there is a character limit of 200 hundred characters as stated with the ‘char lol [200]‘ line. Taking this into consideration, we can safely assume that inputting more than 200 characters would likely cause an error.

Extended Basic Mission 1 - Application Source Code
Extended Basic Mission 1 – Application Source Code

Mission 1 – Buffer Overflow

A buffer overflow occurs when you send more data than is expected to an application. Essentially, each part of a program has an allocated amount of system memory. If you were to send more data to the application than the application has allocated memory for, unexpected results happen. This will likely cause the application to crash but in some cases, it could allow for code execution. However, the purpose of this mission is to crash the application. We know the application is expecting 200 characters. So if we generate 250 characters with our terminal using ‘printf 'A%.0s' {1..250}‘ and submit it to the application, we should crash it.

Terminal Generating String
Terminal Generating String

Mission Complete

Now if we copy and paste that string into the application submission box and click submit, we should see it process and complete the mission. We can tell the mission is complete because it should generate a blue Go On button underneath the input form.

Mission Complete
Mission Complete

Hack This Site: Javascript Mission – Level 7

Well done friends of HaXeZ, We have done it, we have made it to the last Javascript mission on Hack This Site. After all those other missions I feel like I’m a scripting savant. Ok maybe not, but progress is progress. Furthermore, once we have completed this mission, we can move on to other more exciting missions. This mission is a lot like one of the previous missions that we did. However, instead of the password being encoded or obfuscated, this time the whole script is obfuscated.

JS Obfuscation FTW

Introduction

Navigating to the mission we can see a password input form. There isn’t much more information than that other than the title and a thank you message to the creator. If we submit test data to the password input form then we will get an incorrect error message. In order to see what’s going on, we need to view the page source of the application.

The Mission
The Mission

The Javascript

As you can see from the image below, the script appears to be garbled data. It’s all X’s followed by two-digit numbers. We could attempt to decode it online but there is a far easier solution. All we need to do is to right-click the Check Password button and inspect the functionality behind that.

The Javascript
The Javascript

The Button Javascript

As you can see from the screenshot below, inspecting the button shows us the Javascript that is powering it. The Javascript is checking the value of user-submitted value ‘pass‘ to see whether it matches the value ‘j00w1n‘. If the values match then we get an alert saying “You WIN!”. If it doesn’t match then we get a message saying “WRONG! Try Again”.

The Button - Javascript
The Button – Javascript

The Solution

Therefore, in order to complete this mission and to complete the Javascript series. All you need to do is submit the value ‘j00w1n‘ to the password form. As you can see from the image below, we get the alert box that tells us that we have successfully completed the mission.

You Win!
You Win

Alernative Method

I’m sure the developers didn’t intend for this mission to be this easy. I fully believe that they wanted us to deobfuscate the code. So for that reason, the screenshot below shows me deobfuscating the code using the GCHQ tool CyberChef. As you can see from the screenshot, the output shows the button value with the password.

Hack This Site: Javascript Mission – Level 6

Introduction

Hello friends and welcome to HaXeZ, today we’re going to solve Javascript Mission 6 on Hack This Site. This challenge isn’t too difficult provided you pay attention to the details. The mission takes the script from a previous mission and attempts to distract you with it. However, hidden on another page of the application is the correct script that is being used to authenticate.

go go away .js
go go away .js

The Mission

Navigating to the mission we see the expected password submission form. However, instead of Faith, this time we have a message saying that Fiftysixer has decided to try creating some Javascript. It explains that he forgot to remove the previous code. This has made the new code more confusing but apparently, Fiftysixer likes it that way. We can submit test data to the form but we get an incorrect error message.

The mission
The mission

The Javascript

If we view the Javascript we can see that it looks a lot like the script we had for a previous mission. This script tried to trick us by comparing a variable with a string rather than assigning the string to the variable. The solution to that mission was ‘moo'. However, if we submit ‘moo‘ to the password form, we still get an incorrect error message. Notably, there is a link to what appears to be another Javascript file called checkpass.js. Furthermore, the name suggests that it may have something to do with the password checking functionality.

The Javascript
The Javascript

The Real Javascript

If we navigate to the script in the URL we can see that it does appear to be the correct script for checking the password. As you can see from the image below, the javascript is declaring three variables and assigning them values.

dairycow="moo";
moo = "pwns";
rawr = "moo";

I’m not too familiar with Javascript syntax but I wonder whether the lack of spaces in the declaration of ‘dairycow‘ is significant in any way. After the variable declaration, we have a function to check the password. It states that if the value submitted by the user is the same as the value of ‘rawr‘ and ‘moo‘ then we win. If not then we lose. It is important to note that there are also speech marks between ‘rawr‘ and ‘moo‘ so we need to ensure that we have a space in our submission.

The Real Javascript
The Real Javascript

The Solution

So that’s all we need to do to solve the mission. Submit ‘moo pwns‘ as the password and you should complete the mission. Congratulations.

The Solution
The Solution

Hack This Site: Javascript Mission – Level 5

Introduction

Hello World Wide Web and welcome to HaXeZ where today we will be looking at the Javascript Mission 5 on Hack This Site. This mission was a lot of fun and even gave me an excuse to use the GCHQ CyberChef tool to deobfuscate some encoded text. The mission is fairly simple provided you know what to do with the data that you find.

Javascript Mission 5
Javascript Mission 5

The Mission

Upon navigating to the mission we are greeted with a password input form and some text asking if Faith spelled Runescape wrong. This comes into play a bit later as it is referencing a Javascript function that is used to encode or decode text. We could input some text into the password form and submit it but without the correct text, we will get an error message to notify us that the password is wrong.

Password Submission Form
Password Submission Form

The Javascript

However, If we inspect the password form or view the page source we can see the Javascript. Furthermore, the first part of the script is declaring a variable named ‘moo‘ and says that it is equal to unescape. The ‘unescape()‘ function computes a new string in which hexadecimal escape sequences are replaced with the character that it represents. In addition to the declaration of the ‘moo‘ variable and the ‘unescape’ function we have the following encoded string ‘%69%6C%6F%76%65%6D%6F%6F‘.

The Javascript
The Javascript

Javascript Deobfuscation

In order to decode the string, we can use our favorite Government developed decoding tool, CyberChef. Surprisingly, CyberChef works really well considering it came from the public sector (please don’t arrest me). As can be seen from the image below, the interface is simple. You choose a recipe, then paste in your encoded text, and then it works its magic and decodes it for you. It even has a magic recipe that will automatically detect what you’re inputting. It really is a great application.

CyberChef
CyberChef

The Solution

As shown above, the decoded text turns out to be ‘ilovemoo‘. If you submit that to the password form then you should complete the mission.

The Solution
The Solution

Congratulations you have now completed Javascript mission 5.

Congratulations
Congratulations

Hack This Site: Javascript Mission – Level 4

Introduction

Hello there internet and welcome to HaXeZ where today we will be solving Hack This Site Javascript Mission 4. This mission is a little deceptive due to the way that the Javascript is written. To put it another way, this mission intentionally tries to trick you into thinking the value of a variable is something else. However, our keen attention to detail is enough to complete the mission.

Javascript Mission 4
Javascript Mission 4

The Mission

The mission is called Var which we can deduce means we’re going to be working with variables again. As can be seen from the image below, the message reads “Faith is trying to trick you… she knows that you’re tired after all the math works”. To sum up, Faith is going to going to attempt some shinanigans to prevent us from completing this mission. We can test the form with random data to see what happens but as expected, we just get an alert informing us that it is incorrect.

The Mission
The Mission

The Javascript

If we inspect the page we can see the script that is powering the functionality. This is where the first deception comes in. If you view the page source instead of inspecting the element, you may not notice that the first variable is being set. The image below shows that the first variable is being set on the far right. It’s probably a bit to small to see though.

Hidden moo
Hidden moo

However, if we inspect the script you will see that at the very start of the script, we can see that the value ‘moo‘ is being assigned to the variable ‘RawrRawr‘. Next, we can see that a function called ‘x‘ is being created where the value of ‘hack_this_site‘ is being added to the variable ‘+RawrRawr+‘. Then again, perhaps it isn’t. If we look at how the ‘moo‘ is being assigned to ‘RawrRawr‘ we only see one equal sign. In javascript, a double equals sign acts as an operator to compare two values so all that’s happening here is that ‘hack_this_site‘ is being compared to ‘RawrRawr‘.

The Javascript

The Solution

The value of ‘RawrRawr‘ is still moo, let’s see what the script does next. The script has an if statement that compares ‘x‘ to an empty value between two speech marks plus the value of ‘RawrRawr‘. So in essence, the script is checking the value of ‘x‘ against nothing plus ‘moo‘ as ‘moo‘ was set earlier. Therefore, the password to complete the mission should be moo. Input that in to the box and click submit to score.

The Solution
The Solution