Systerity Web Hacking Challenge

Introduction

Today I will be documenting a Web Hacking Challenge created by a group known as Systerity. This challenge will not involve Web Application exploitation but rather your analytical filters encompassing:

  • Directory Traversals
  • ROT 13 Decoding
  • Base64 Decoding
  • Basic Comprehension Skills

Getting To Know Your Target

The challenge is located at:
http://wargames.systerity.com/Web/

The goal of this challenge is simple – you need to report the Hackers IP Address using a reporting tool that is built in the Content Management System. The challenge starts off with the site being defaced by the hacker, with an image that says “HackeD”. Analyzing the source code (poorly written HTML) is a good way to find where this image is located in the site:

<img src="admin/images/skidded.jpg">

We can traverse to the directory of where the image is being hosted:
http://wargames.systerity.com/Web/admin/images/

And i find a “readme.txt” file that gave me more information about the directories. In my mind, every directory (at least the ones that mattered for this challenge) contained a “readme.txt” file that would give me more information about something that is relevant for my next move.

I went to the parent folder and traversed to the admin directory:
http://wargames.systerity.com/Web/admin/
http://wargames.systerity.com/Web/admin/images/../

I was greeted for with an Admin Panel:

For man-made challenges like these, it is always a good idea to test for SQL Injection vulnerabilities or fuzz the forms for input validation. I did attempt it for this challenge, but it was beyond the scope of how to complete it and input was sanitized as far as I could tell.

I clicked “Find Password”:

But in order to get the current password you need to find the old password. I had to think of an alternative, then I remembered that there was “readme.txt” file in every directory that contained more information. I wanted to test if this was the case.

http://wargames.systerity.com/Web/admin/readme.txt

Sure enough, the contents inscribed provided me with the default password “alpine”, which possibly was not changed by the admin.

Going back to the “Find Password” page, issuing “alpine” as the old password gave me access to the current password – “alpine2”.

I went back to the admin login panel and authenticated as the admin:

At this point I could not think that the challenge was over but only has begun. I had a mission, and that was to find the IP Address of the attacker and report it. So I did some detective work.

The “User Accounts” link gave me a list of users, which could be useful:

Admin
N00BStuh
DethMutul
Sk1dd3h_B01
ANTISKID
GENFORMATION
EEMNOOO
imnotspam
STAHPIT
Hai

The checked the user logs and found no traces of anything worth documenting, however for the admin logs; I did find something:

[30/12/14-01:33] 33.120.42.22 logged off.

It was apparent to me that 33.120.42.22 was the IP of the hacker that defaced the site. That solves one piece of this mystery but I still needed to find this reporting tool to blacklist the attacker. The last thing that I could find was a corrupted backup:

http://wargames.systerity.com/Web/admin/backups/backup_001

This part of the challenge was basic. Any files that include numbers on their names are worth changing, specially with files like logs or files that include IDs in their name because they are formatted to increment when other files are added. With that notion in mind, changing the name from backup_001 to backup_002, backup_003, etc, may give you varying results. For this challenge, the only valid file after backup_001 was backup_002, other backups_00x we not existent.

http://wargames.systerity.com/Web/admin/backups/backup_002

Encoded(/tools/readme.txt):-
SnJvem5mZ3JlLA0KDQpWYSBndXZmIHNieXFyZSBsYmggdW5pciBmYnpyIGdiYnlmIGxiaCBwbmEgaGZyLiBHdXIgemJmZyBjYmNoeW5lIGJhciB2ZiBndXIgImVyY2JlZyIgZ2JieS4gR3V2ZiBqdnl5IGVyY2JlZyBndXIgVkMgYnMgbmFsIGhmcmUgbGJoIHNycnkgdW5mIHBlYmZmcnEgbiB5dmFyLiBWZyBwbmEgb3Igc2JoYXEgdmEgL2diYnlmL2VyY2JlZy5jdWMNCg0KR254ciBuIHliYnggbmViaGFxIG5hcSBsYmgneXkgeXZ4ciBqdW5nIGxiaCdpciBmcnJhLg==

Although it was not very useful, I did try to check the following location based on the what was inside encoded(); and there was nothing useful there. This message is encoded in Base64, so I decoded it and got:

Jroznfgre,

Va guvf sbyqre lbh unir fbzr gbbyf lbh pna hfr. Gur zbfg cbchyne bar vf gur "ercbeg" gbby. Guvf jvyy ercbeg gur VC bs nal hfre lbh srry unf pebffrq n yvar. Vg pna or sbhaq va /gbbyf/ercbeg.cuc

Gnxr n ybbx nebhaq naq lbh'yy yvxr jung lbh'ir frra.

This message did not make any sense to me when I fist seen it. I took some pen and paper and spent 10 minutes to figure out how it was encoded. After several sheets of paper and later realizing the actual name of this encoding scheme, all of these characters were placed 13 places after from their original letter. This is also known at ROT13 or Rotation 13.

After decoding, the message started to make sense:

Webmaster, In this folder you have some tools you can use. The most popular one is the "report" tool. This will report the IP of any user you feel has crossed a line. It can be found in /tools/report.php Take a look around and you'll like what you've seen.

Finally, we traverse to our reporting tool located:
http://wargames.systerity.com/Web/admin/tools/report.php

The challenge is done once the IP Address is reported:

Conclusion

Thank you for taking the time to view my post. Understanding encoding schemes was the general focus of this challenge. I will try to post the other challenges from Systerity, they’ve all been fun to solve!

Happy Hunting!

Advertisements

3 thoughts on “Systerity Web Hacking Challenge

  1. Effectiveely like Mommy ѕaid, when we love one
    another and ⅼove the world that Jesuhs died for, that?s a type
    of worship. When we think abouit God and take heed tⲟ the sermon or іn Sunday Colleɡe, that?s a way of worѕhipping as ɑ result of we are learning how great God is ɑnd He likeѕ that.
    Or once ᴡe sit around and tell each other what the best
    tһings about God are. You know the ᴡay much you wat hearing peopⅼe say how
    sensible or cute yyou boys are? Properⅼy God likes aftеr we tlk together about how great he is.?
    Ɗaddy answereɗ.

  2. I was very pleased to find this great site. I wanted to thank you for your time for this particularly wonderful read!!
    I definitely loved every little bit of it and I have you bookmarked
    to check out new things on your web site.

    • Glad you enjoyed the reading! I will post new material soon. Although I have been dormant, my eyes are always on this blog and any responses. Positive vibes are always welcomed. Cheers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s