Today I will be documenting a Web Hacking Challenge created by a group known as Systerity. This challenge will not involve Web Application exploitation but rather your analytical filters encompassing:
- Directory Traversals
- ROT 13 Decoding
- Base64 Decoding
- Basic Comprehension Skills
Getting To Know Your Target
The challenge is located at:
The goal of this challenge is simple – you need to report the Hackers IP Address using a reporting tool that is built in the Content Management System. The challenge starts off with the site being defaced by the hacker, with an image that says “HackeD”. Analyzing the source code (poorly written HTML) is a good way to find where this image is located in the site:
We can traverse to the directory of where the image is being hosted:
And i find a “readme.txt” file that gave me more information about the directories. In my mind, every directory (at least the ones that mattered for this challenge) contained a “readme.txt” file that would give me more information about something that is relevant for my next move.
I was greeted for with an Admin Panel:
For man-made challenges like these, it is always a good idea to test for SQL Injection vulnerabilities or fuzz the forms for input validation. I did attempt it for this challenge, but it was beyond the scope of how to complete it and input was sanitized as far as I could tell.
I clicked “Find Password”:
But in order to get the current password you need to find the old password. I had to think of an alternative, then I remembered that there was “readme.txt” file in every directory that contained more information. I wanted to test if this was the case.
Sure enough, the contents inscribed provided me with the default password “alpine”, which possibly was not changed by the admin.
Going back to the “Find Password” page, issuing “alpine” as the old password gave me access to the current password – “alpine2”.
I went back to the admin login panel and authenticated as the admin:
At this point I could not think that the challenge was over but only has begun. I had a mission, and that was to find the IP Address of the attacker and report it. So I did some detective work.
The “User Accounts” link gave me a list of users, which could be useful:
Admin N00BStuh DethMutul Sk1dd3h_B01 ANTISKID GENFORMATION EEMNOOO imnotspam STAHPIT Hai
The checked the user logs and found no traces of anything worth documenting, however for the admin logs; I did find something:
[30/12/14-01:33] 220.127.116.11 logged off.
It was apparent to me that 18.104.22.168 was the IP of the hacker that defaced the site. That solves one piece of this mystery but I still needed to find this reporting tool to blacklist the attacker. The last thing that I could find was a corrupted backup:
This part of the challenge was basic. Any files that include numbers on their names are worth changing, specially with files like logs or files that include IDs in their name because they are formatted to increment when other files are added. With that notion in mind, changing the name from backup_001 to backup_002, backup_003, etc, may give you varying results. For this challenge, the only valid file after backup_001 was backup_002, other backups_00x we not existent.
Although it was not very useful, I did try to check the following location based on the what was inside encoded(); and there was nothing useful there. This message is encoded in Base64, so I decoded it and got:
Jroznfgre, Va guvf sbyqre lbh unir fbzr gbbyf lbh pna hfr. Gur zbfg cbchyne bar vf gur "ercbeg" gbby. Guvf jvyy ercbeg gur VC bs nal hfre lbh srry unf pebffrq n yvar. Vg pna or sbhaq va /gbbyf/ercbeg.cuc Gnxr n ybbx nebhaq naq lbh'yy yvxr jung lbh'ir frra.
This message did not make any sense to me when I fist seen it. I took some pen and paper and spent 10 minutes to figure out how it was encoded. After several sheets of paper and later realizing the actual name of this encoding scheme, all of these characters were placed 13 places after from their original letter. This is also known at ROT13 or Rotation 13.
After decoding, the message started to make sense:
Webmaster, In this folder you have some tools you can use. The most popular one is the "report" tool. This will report the IP of any user you feel has crossed a line. It can be found in /tools/report.php Take a look around and you'll like what you've seen.
Finally, we traverse to our reporting tool located:
The challenge is done once the IP Address is reported:
Thank you for taking the time to view my post. Understanding encoding schemes was the general focus of this challenge. I will try to post the other challenges from Systerity, they’ve all been fun to solve!