Ok so here are a few notes rolled into a vague guide to assist with realistic mission 11. I've tried to make it so that it doesn't hand you answers but it's not too vague to follow. Not all of what's in this article is necessary to complete the mission but since the aim of completing it is to learn, I've included the "extra bits" for good measure! :D
I recommend (as with any mission) that you try and do as much as you can on your own before consulting a guide or anyone for help.
What you might need
* Information on Piping commands in Perl
* JavaScript Injection
* SQL Command Reference
* Knowledge of Cookie Stealers
* User-Agent Switching
* A PHP hosting facility
* Knowledge of Directory Traversal
(Since most of these are covered in other missions and articles I'm not going to provide any links)
Mission
So we look at our mission briefing and read that "space46" has had his/her hosting account suspended and needs to get his/her backup file from the root of his/her account. This is where we come in. It's a good idea to note down the name of the backup file.
It is worth our while (as with any mission) to look around the website for anything we might be able to exploit or anything that looks out of place. If it helps to do so, make notes. Try and understand how the pages work, what software is it running etc.
At a glance we can see that we have several pages of content. "Main Page", "Features", "FAQ", "Terms of Service", "Pricing" and "WebMail". If we navigate through these pages and read what's on there, we might find information beneficial to us later on in the mission.
The first thing to take note of is the WebMail feature as it has a login form but alas "Due to the recent security breach, WebMail is currently unavailable." It would be unwise to take their word for it but it's swiftly apparent that we're not getting anywhere with it. Maybe there is somewhere else we can log in? If so, try what we know. If we don't get anywhere, fine. Keep making observations.
Once we've done the initial check for links, scripts and forms, it's time to piece together what we already know about the site.
Ok so we've figured out it's running a Perl script to grab the pages. It must be grabbing these pages from somewhere. If you put in a false page name, what happens? Take note. How could we run a command to find what else is there?
spoiler:
There is a useful character not disabled in the script. How can we end one command and use another to list the files from a Perl script? Do some research on piping commands and how they might help us list the other files.
If we've managed to find anything it might be a good idea to note down what we've found. Once we've noted it down it's time to do some more exploring. If we've found a folder and followed the path we'll notice we're confronted with a short list of usernames. Great, space46's directory! But "This account has been suspended" means we don't have direct access. Since the list is short we can look through each of the users' directories and take notes.
We should now be on another users’ page. Take a good look around and we'll notice several things. There is a login form, a forum, radio listings, a small "about" page and the main page. Easily missed is an option to register but a simple inspection will show that it requires an Auth Code that we don't have.
If we read the information on the main page we'll find that because of "commie hackers" they've decided to log users and even take note of the browser they're using!! It would be worth looking at the scripts "amazing capabilities" and how it works.
It's in our best interests to obtain mod/admin access to gain a better understanding of how the websites hosted with BudgetServ work. First we need to see what an account looks like. How could we exploit their logging script to gain access to an account?
If you're a little stuck:
spoiler:
Their clever logging script could be of some use to us. It's saving in .html format and it's logging whatever we have as our User Agent. Maybe we could use the .html file to add a little script of our own?
If you're still stuck:
spoiler:
If you're using Firefox, "User-Agent switcher" will be useful to you here.
If you're still stuck:
spoiler:
Remember realistic 9?
Ok so we now have access to an account. That's great but we can't really do anything more. Let's look at our profile. On our profile page, looking at the URL we notice that there's a parameter called "id". What if we weren't specific about which id we wanted? It allows us to edit our profile, what if we aren't logged in?
If you've understood that, then you should have worked your way into a mod account. If we look at our mod panel, we'll notice that we've got limited SQL access. If you review your notes on your initial observations you'll notice that SQLite is being used. Ideally we'd like to run an SQL command to find usernames and passwords but how do we go about finding the names of the tables?
spoiler:
Use Google to look up how to list the names of all tables in a database in an SQLite system.
So we've managed to get a listing of the tables and you've probably tried using SQL commands to view the contents of those tables. The problem is, this database is just for t**r****w**r**** data. If we examine the form used to submit SQL commands it looks like we can change the value of the database! We need to find information from the BudgetServ database. Where else have you seen a database file?
Once we've figured out where the BudgetServ database is, we need to work out how we can query the BudgetServ database using the same form.
If you're stuck here's one method:
spoiler:
Javascript Injection.
If you're still stuck:
spoiler:
Remember Directory Traversal?
Once we've switched the database being queried around let's try the same command as before to list all of the tables. If you've switched the database correctly then we shouldn't get any errors. If it hasn't worked then it's a case of playing around with the path to the database until you get it right.
Once that's done then you should be able to obtain the usernames and passwords. Note them down and let's try and log into BudgetServ using the login form that you found when looking around initially. It's worth at least trying to log in as space46 but again we're told that the account is suspended so we try logging in as someone else.
Upon logging in we're presented with a basic admin panel. You'll notice that most of the features have been disabled because of a security breach. You're able to list files from the account or download them as you wish. How could you exploit this to download space46's file?
If you're stuck:
spoiler:
Try downloading an image. Watch what goes on!
If you're still stuck:
spoiler:
What did you have to remember to switch the databases?
And there you have it. Realistic 11 completed. I'll add that I know it's unnecessary to go through the whole logging script procedure but it makes it a little more fun and allows for a bit of extra thinking.
I hope you enjoyed the article as much as I enjoyed writing it and feel free to edit out anything that might be considered too big of a spoiler.
-Nines9
Cast your vote on this article *Note: the order of the votes has been reversed.
Comments: Published: 27 comments.
By: TheMindRapist - 12:21 pm Saturday April 12th, 2008
Great article! One of the few that concentrates on the fundamentals and learning rather than just trying to hand out the answers. Vague enough, but provides the vitals- great work.
10/10
By: TheMindRapist - 08:38 pm Saturday April 12th, 2008
I like how he actually formats it and uses correct grammar...
By: DarkyHacker - 08:50 am Sunday April 13th, 2008
I don't really get the part where we have to add our own script, how do we do that? (a hint would be nice).. Other than that its a great article man 10/10
Take another look at that first spoiler. Then take a look at the one after it. It should click into place mate.
By: DarkyHacker - 09:25 am Sunday April 13th, 2008
Yo I figured it out thanks, now I'm stuck on the part where I have to obtain the username+password for the main server (BudgetServ). I switched the database displayed but it doesn't show any username or password. Do I have to use a command to retrieve them?
I already had completed this mission but I thought
to check your article ;) Well written, it explains a
lot without giving out a lot. After your logic missions,
you continue doing a great job with this article. I
hope for more to follow (missions & articles :) Keep
up the good work!
So, a 10/10 from me too seems appropriate :)
By: newb-noob - 04:29 pm Thursday April 17th, 2008
Where do I change the path at? Is it in the ***.db**e input or the m*d input or in the ?p**e=?
By: krauser2288 - 07:56 am Saturday April 19th, 2008
hey.... ive been looking and reading now about the piping commands but i cant seem to find anything.... anyone want to point me in the direction of a good website? would be helpful!
Try "perl cgi open pipe exploit" in google without quotes.
---
I have never tried to do this before (piping a cmd in open()), but I doubt I am too stupide to understand how it works (but I might be). If one of the more accomplished members could try to use this method on this mission just to check if all is well on hts, it would be greatly appreciated. This is a huge site and bugs are bound to happen. If it is fully functional, then I guess I am stupid:)
I'm stuck man. I stole the cookie and now logged with some name called clinton bomber 03750 ID: 5829. His access level is 0 and can't figure out how to switch to the mod account.... Would be appreciable if someone provides me with a hint.... I'm not asking for the solution but for a hint!!
first of all, nice articel!
But i am stuck, i have the same problem as _steAlth. It seems that this "What if we weren't specific about which id we wanted?" isn't specific enough for me :).
Please give me a small hint, i already tried some url manipulation, (new) js injection via the logger and tried the page=admin&add_admin=<id> (i saw this HTTP GET in the logger.html file) thing via injection and the trwr-forums. But i think i have missed something ...
Im stuck at connecting to the other Db can someone give me a hint? I tried doing the saving it and changing the DB value but it didnt work.
This site is the collective work of the
HackThisSite staff. Please don't reproduce in part or whole without permission.
Page Generated: Fri, 25 Jul 2008 07:54:37 -0500 Exec:
118
