Follow us on Twitter!
Don't judge the unknown - Grindordie
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 20
Members Online: 2

Registered Members: 82838
Newest Member: w1zarrd
Latest Articles

real 15

Arrow Image article taken from critical security. there it says that seljojojo wrote it. i guess that's me -_-



spoiler free walkthrough for mission 15 (yup, mission 15)

ok. you start the mission. some guy is asking you to find something about the latest patents
of seculas ltd, weapon industry. obviously a important thing, so it\'s not gonna be easy.
as usual, you start with index page. you look in the source, find nothing interesting. actually, nothing seems to be of any interest.
wrong. check EVERY page, even the most stupid ones (like \"question sent\" etc.).it may take a while, and when you find it, you\'ll want to hit your head with a rock.
in one of them , you will find something from a hidden folder _ba*****_ . inside it will be a zip file, so download it.
oh crap. it\'s password protected. soooo? to go any further, you will have to download pkcrack.or perhaps you could use something
else, but i used pkcrack. to find it use google, simply put pkcrack. and have a postcard ready smile.gif

once you have pkcrack we can continue.

pkcrack is a plaintext attacker, zip decoder. this means that you need to have at least one file from zip in it\'s original form.
so go check that zip you dloaded. hm, 2 folders. int***** m******* and files from misc folders or sth like that.
in the first folder, you\'ll find 2 php includes (script with no output, of great importance, but not at this point),
so you can forget about it. in the second folder, however ,youll find a sh***.php and a i****.htm . aaaah. i****.htm. that\'s available in original form.
simply save as i****.htm into pkcrack folder, but be sure to change name into something else, like say 123.htm . you might want to use wget(dload program, google it up) if normal save as fails (you\'ll see later)
now, there is a great tutorial on pkcrack on hts already, so check it out. alse, if you decide to use wget, check the forums, it\'s explained how it works over there.

once you did that, time for boring stuff. first, extract i****.htm using pkcrack.
then compress 123.htm using either rar or zip(i\'ve done it using rar) on different compressions, until your 123.htm (plaintext) is EXACTLY 12 bytes shorter than your extracted i****.htm .
as side note, watch your extensions when using pkcrack, they matter.

now use pkcrack to finally get the files. (http://www.hackthissite.org/articles/read/418, great article by joeyadms)


great, you have your files. now what.

you\'ll certainly try your sh***.php file. uhuh!! BIG! we\'ll get to that soon enough.
if you try to open it from www.hts.mission...bla.../15/sh***.php, good luck with that. it\'s a fake, as you can guess, it would be too obvious.

well, now\'s the time to check those scripts in int*****_m******* folder. as you can guess, int*****_m******* is a folder on the real site.
and, it\'s forbidden. you\'ll see \"forbidden\" too many times from now. anyway, in those scripts, you find out 3 php sites, 2 have no output, and one that is exactly same name as the folder itself.
you\'ll fins about one msg*********.txt file in f**** directory, but, as you could guess, it\'s all forbidden.
so go to int*****_m*******/int*****_m*******.php .
yip yip. admin\'s message. we want to read that. how? thank you for asking.

now comes a hard thing to understand. check two includes, msg_a***.php and msg_s***.php.
as you see, msgs***.php calls msga***.php. now the important thing to understand is what exactly do they do.

first check the source of int*****_m*******.php to see the \"username\" of person who\'s message we want to read.


then, see this:

<?php
/*-- called by int*****_m*******.php --*/

session_start();


include(\"showmessages.inc.php\"); /* under construction, I will devide this into different files soon */

$msg_p******* = $_POST[\'password\'];
$msg_u******* = $_POST[\'username\'];
$f******** = \"msgpa*******.txt\";

include(\"msga***.php\");


showmessage($msg_u*******);


?>

it sets 3 new variables, username and pass it takes from int*****_m*******.php. msg_u******* we now know (from int*****_m*******.php) and we must not change because of showmessage($msg_u*******).

then check this: if (ereg($msg_u******* . \": \" . $msg_p******* . \"\\r*\\n*$\", $strLine, $regs))
$_SESSION[\'msga***\'][$msg_u*******] = \"OK\";

and this : $fp = @fopen(\"fi***/\" . $f*******, \"r\");

that is combining msg_u******* variable (admin username from int*****_m*******.php), the \": \" string and msg_p******* variable into one string.
then it checks the filename for that string. if it finds it, it sets your session as OK and let\'s you see username\'s messages.
so we need to exploit this. once again, check sources on the seculas websites for something in aaaaaaaaaa: bbbbbbbb form what we can exploit.
great, you found it. now, that aaaaaaaaa has our username in it, so it is aaausername: (EVERYTHING to the end of the line will be our password) and the filename will be the i****.htm where you found this.
now we have to give all of this info to ***a***.php. so , make your own form:

(oh before that have a int*****_m*******.php in a tab or for ie users in a window)

<***form (remove ***)action=www.hts.mission.blabla.msga***.php method=(think, you send data)>
<***input name=\"(msg_p*****, to find the name of variable check msga***, very logical, but do not include $)\" value=\"\" type=text>
<***input name=\"(variable for username from msga***.php)\" value=\"\" type=text>
<***input name=\"(file variable, for this one check ***s***.php)\" value=\"\" type=text>
<***input type=\"submit\" value=\"send\">
</form>


and? a blank page dry.gif . but hey! it\'s suppoased to be blank! now, if everything done correctly (filename needs to be in right directory)

go hit read messages (from admin) in int*****_m*******.php and viola. (this can be VERY irritating, but if something is wrong, go check forums or pm someone, me if neccesarry, but i cannot guaranty that i\'ll respond caus i\'m not always on hts)
now you found a***_a*** folder. and? listing is forbidden sad.gif . but hey? remember sh***.php? the fake one? what do you think, where is the right one? bingo.
and so you came to right s**ll.php finally. and , once again you are prompted for password and username.


now, again, inportant thing to understand.

go check your own sh***.php

$sh***user_r*** = \"r***\";
$sh***ps**_r*** = \"********************************\"; // hash removed in this backup-file

and

$MyShellVersion = \"MyShell 1.1.0 build 20010923 \".$$php_auth_u***;

be sure to understand what this is all about. MyShell 1.1.0 build 20010923 . remind you of sth? and behind is $$thing you imput. it should be obvious, but if you have problems go visit forums.


ok, su you got the r*** hash. it\'s double md5. either search for online md database or make your own script for this (use cain\'s wordlist)

so, you are in the shell. try things and laugh. then list directory.then go see files and laugh. then find view*******2.php and view*******.php .

you should also notice the chku***pa** C source file while dloading everything.

now comes... the buffer overflow. google about it. ask forums about it, there is one good hint there, wickipedia has a good eplanation of what it is.

you see, in this c program, it combines username and pass into one string. and if you overcrowd it with junk data... it might put the yunk data into sth else where it wont be junk... think about it. and you want is_p***_correct to be \"*\" not \"***********\" (think, what is * gonna be this time? it\'s in the file)

and when you figure out what you have to do , have patience....

and that\'s it. it\'s my first article, and i really hope ot helped you. i know, somethings arent well explained, but i do not have mush time, and there is a possability of giving too much away.

from:http://www.criticalsecurity.net/index.php?showtopic=8194

Comments

seljojojoon March 25 2006 - 21:03:46
important: when dloading in***.htm page, either use wget or simply save as, but be sure to select html only. else you may get infinite "wrong plaintext" outputs in pkcrack
Neo_Chalchuson March 26 2006 - 22:53:52
ok...I tried not to but I gotta ask. wtf is Real 15? There are only nine.
Neo_Chalchuson March 26 2006 - 22:58:01
sry, its an HTS challenge, sorry B)
spywareon March 27 2006 - 19:14:06
Could a admin move this article?
seljojojoon March 28 2006 - 11:32:49
to where?
spywareon March 28 2006 - 18:12:50
Sorry, thought it was in the wrong subject-topic thingy. Nice article Wink
seljojojoon March 28 2006 - 18:34:34
thx, no problem Smile
Sauronon March 29 2006 - 10:07:51
ROTFFLMFAO, please people, read before u ask, please....lmao Btw, nice article, gonna rate it poor Smile Smile <kiddin>
cesnjakon May 05 2006 - 19:56:49
I got lost among all those ***. ShockBut good article anyway.
phoenixv0on April 19 2007 - 04:41:18
Excellent article bro..cheers
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.