Search My Blog

Wednesday, October 13, 2010

Ethical Hacker Challenges

Well, been a couple of weeks since I posted anything. This doesn't mean I haven't been busy. I have recently been following up on my "Ethical Hacking" skills and Security training. I stumbled across this site, Hellbound Hackers, which has some interesting challenges. They allow you to earn points for the challenges, so its kind of cool. They have challenges in many areas. I have been playing with the "Web Based" challenge area where they have 29 challenges.

Below are the answers.... I know...this is frowned upon. Many people believe one should only provide "hints" and let people flounder indefinitely.....But, seriously, to learn....sometimes it nice to have access to the answers when your stuck. I have provided the background detail then the actual answer. If you have stumbled on this via Google because your trying the challenges great...but be aware....... SPOILERS are below. I have made the font for the answers white so you have to highlight them to actually see the answer.

Note: This is an "Ethical Hacker" site. So, ideally there is nothing malicious going on here and your machine won't get infected while browsing the forums and such. However, it is "hacker related" and the Internet is the wild west of the 2000's so use caution. I strongly encourage you to use a VM to  go to sites like this. See my Virtualization Post on this.

Challenge #1
Basic login prompter. Nothing special here. It is the 1st Challenge. The Hint provided is: "Look at the source...."

Answer:
If you view the source you will see a comment:
it has four legs and most of the time its called 'man's best friend'
Answer: Dog

Challenge #2
This is a simple challenge as well. Just requires some basic knowledge of HTML.

Answer:
View the source and find:
IFRAME border='0' height='250' width='500' align='center' name='content' src='../basic1/b2/index.php' frameBorder='0'
IFRAME location is: ../basic1/b2/index.php

Challenge #3
Now, we start to get a little more complex. This involves spoofing your UserAgent.

Answer:
Change your user agent to bwh3_user_agent. This is pretty simple in Firefox. I used the Firefox Plug-in - useragentswitcher
You could also edit the Registry in Windows for IE....but why.... just use Firefox.

Challenge #4
Idea here is a simulation of a improperly configured login prompter that uses and htpasswd file. The file isn't found so you can see an error on the page.
First idea...... a path fuzzing challenge.

Answer:
"ERROR: htpasswd.php file not found in basic4/" means something.. so fuzz the dir paths.
You will find the password file located at:
http://www.hellboundhackers.org/challenges/basic5/htpasswd.php

Challenge #5
Just a pain to figure out, not because it is hard...but the format of the answer is hard.

Answer:
Doing a query for email or reading the source you will note * is the wildcard. Then, you have to realize that
the form is a login form AND search form.
So,
Box #1: *@*:*
Box #2: problems@Asterix-Protect.org

Challenge #6
Now, the challenges start to get a bit more "real". This one requires both some Unix simple skills and some fuzzing.

Answer:
First, fuzz the dir path:
http://www.hellboundhackers.org/challenges/basic6/logs/
You will see the files that need to be deleted. Then, run the appropriate commands.

Box #1: $ chmod a+x logs/logs.txt
Box #2: $ rm logs/logs.txt
Box #3: $ rm logs/track_logs.php

Challenge #7
This challenge requires some Binary math and knowledge of cookie manipulation.

Answer:
View your cookies. (I used Web Developer tool for Firefox)
username: sam
password: jillisdead
(This also happens to be in the source javascript, so viewing the cookie probably wasn't really required).

Now encode each into ascii:
http://www.theskull.com/javascript/ascii-binary.html
sam -> 011100110110000101101101
jillisdead -> 01101010011010010110110001101100011010010111001101100100011001010110000101100100

So, now just use the Firefox Web Developer plug-in to edit these values.
username=011100110110000101101101
password=01101010011010010110110001101100011010010111001101100100011001010110000101100100
And then fill in junk for the submit form and click go.

You will now be at the sql prompt:
Fill in 'sam' and submit

You could also use Javascript injection on the 1st part, but my example way is a little let typing.


Challenge #8
This challenge requires a slight bit of knowledge about PHP and the Register Globals vulnerability. See
http://en.wikibooks.org/wiki/PHP_Programming/Register_Globals. You can use this to perform an SQL Injection attack.

Answer:
Formulate an injection that will provide the password:
http://www.hellboundhackers.org/challenges/basic8/secure-area.php?sql_query=SELECT%20*%20FROM%20family_db

And you should get that the password is:
KingKong


Challenge #9
This challenge is complete using a type of code injection attack.

Answer:
Null Metacharacter Injection attack. ().
Search for: login.php
This will allow you to view the source of the PHP file, which will show you, if you view Source:


if($_POST['password'] == "environment" && $_POST['username'] == "FastLane"){

Go back to the Challenge Page and fill in the Username/Password combo of:
FastLane / environment


Challenge #10
This challenge requires that your IP address be in a specific range. You need to use a "free proxy service" if the page doesn't work immediately.


Answer
Viewing source on the access denied page will show you that the range needs to be:
range is around 200 to 230 and 23 to 91
Now, Google for free proxy services and use Firefox's FoxProxy to help you solve this. It is more trial and error to find a proxy in this range. I used Proxy IP: 81.168.92.66 Port: 8080

or 82.148.227.62 Port 80



Challenge #11
Basically the same as challenge #3

Answer:
Edit useragent to be:
Mozilla (HellBoundHackersOS)

I'll post some answers to the remaining 17 challenges when I get a chance to solve them. I did jump to the end..... #29 uses XPATH injection.... :-)

No comments:

Post a Comment