Follow us on Twitter!
Become the change you seek in the world. - Gandhi
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 18
Guests Online: 17
Members Online: 1

Registered Members: 82885
Newest Member: ConiBE
Latest Articles

Realistic 18

Arrow Image A guide to help you with the 'insane' realistic 18.



Table of contents:
0. Challenge description
1. Requirements
2. Starting information
3. Looking around
4. Find the encryption script
5. Crack the encryption
6. Get admin rights
7. Finish


0. Challenge description:
As you can see, they intend to create another challenge site, one very similar to this one. Furthermore, they decided to post 'HBH sucks' on the index page. We want you to delete that message. Your username is '1337user', your password has been changed, and you must find it. Note: The admin in charge likes to post his scripts all over the net to show off his skills.


1. Requirements
In this challenge, you will be tested on some skills. Realistic 18 requires that you:
- have basic programming skills
- have some PHP knowlegde
- can think logical

2. Starting information
When you have read the challenge description, there are two important things you should have noticed:
- there is given a username ('1337user')
- the admin like to show his skills by posting his scripts on the internet

3. Looking around
First thing you'll problably do is looking around at the website. The only useful page will be the login page. Let's try to login with the given username and some random password. Seems like the password is encrypted in one way or another. At least we have the encrypted password, now we need to crack it. However, it's not a very common encryption like md5/sha1 or something. Common cracking application won't help you out here.

4. Find the encryption script
Remember what the challenge description says about the website admin? 'Shows off his skills by posting his scripts on the internet'. This means somewhere on the internet is the right encryption code. Unfortunately enough, the internet is very big. It's like we are searching to a needle in a haystack. With some logical thinking, you should find that encryption code. It's not as hard as you might think.

5. Crack the encryption
Got the encryption code? Well done! Now it's time for the cracking part. As I said before, common cracking applications aren't going to help you out. This means you'll have to write something by yourself. If you're a noob in programming, you do have a problem here. But with some basic programming skills, it should be able to write a cracking application for this script. Brute-forcing won't take too long, but a dictionary attack will do the job as well (provided that you have a good dictionary).

6. Get admin rights
The password is cracked, so you're able to login now. As you will see, there are two different control panels. Only one of them will allow you to edit the index page (remember the objective of this mission). That won't be very hard to find out. Hang on, we get a popup saying 'You do not have authorization to view that page'. Well, let's get it then. This part of the challenge isn't really hard, but you just have to know what you're doing. We can assume the script performs a check to validate your authorization. Just make the script believe you've got that admin rights. Some PHP knowlegde will be an advantage here. Also, make sure you have the right URL to the control panel.

7. Finish
Congratulations, you've got the admin rights now. It won't be very difficult to change the index page now. Submit you're new index.php and enjoy your 190 points. (;


CypherChain

Comments

korgon March 07 2013 - 19:49:45
Nice article, Gives the steps for completion, With No real spoilers.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.