Ok so here are a few notes rolled into a vague guide to assist with realistic mission 11. I've tried to make it so that it doesn't hand you answers but it's not too vague to follow. Not all of what's in this article is necessary to complete the mission but since the aim of completing it is to learn, I've included the "extra bits" for good measure! :D
I recommend (as with any mission) that you try and do as much as you can on your own before consulting a guide or anyone for help.
What you might need
* Information on Piping commands in Perl
* SQL Command Reference
* Knowledge of Cookie Stealers
* User-Agent Switching
* A PHP hosting facility
* Knowledge of Directory Traversal
(Since most of these are covered in other missions and articles I'm not going to provide any links)
So we look at our mission briefing and read that "space46" has had his/her hosting account suspended and needs to get his/her backup file from the root of his/her account. This is where we come in. It's a good idea to note down the name of the backup file.
It is worth our while (as with any mission) to look around the website for anything we might be able to exploit or anything that looks out of place. If it helps to do so, make notes. Try and understand how the pages work, what software is it running etc.
At a glance we can see that we have several pages of content. "Main Page", "Features", "FAQ", "Terms of Service", "Pricing" and "WebMail". If we navigate through these pages and read what's on there, we might find information beneficial to us later on in the mission.
The first thing to take note of is the WebMail feature as it has a login form but alas "Due to the recent security breach, WebMail is currently unavailable." It would be unwise to take their word for it but it's swiftly apparent that we're not getting anywhere with it. Maybe there is somewhere else we can log in? If so, try what we know. If we don't get anywhere, fine. Keep making observations.
Once we've done the initial check for links, scripts and forms, it's time to piece together what we already know about the site.
Ok so we've figured out it's running a Perl script to grab the pages. It must be grabbing these pages from somewhere. If you put in a false page name, what happens? Take note. How could we run a command to find what else is there?
There is a useful character not disabled in the script. How can we end one command and use another to list the files from a Perl script? Do some research on piping commands and how they might help us list the other files.
If we've managed to find anything it might be a good idea to note down what we've found. Once we've noted it down it's time to do some more exploring. If we've found a folder and followed the path we'll notice we're confronted with a short list of usernames. Great, space46's directory! But "This account has been suspended" means we don't have direct access. Since the list is short we can look through each of the users' directories and take notes.
We should now be on another users’ page. Take a good look around and we'll notice several things. There is a login form, a forum, radio listings, a small "about" page and the main page. Easily missed is an option to register but a simple inspection will show that it requires an Auth Code that we don't have.
If we read the information on the main page we'll find that because of "commie hackers" they've decided to log users and even take note of the browser they're using!! It would be worth looking at the scripts "amazing capabilities" and how it works.
It's in our best interests to obtain mod/admin access to gain a better understanding of how the websites hosted with BudgetServ work. First we need to see what an account looks like. How could we exploit their logging script to gain access to an account?
If you're a little stuck:
Their clever logging script could be of some use to us. It's saving in .html format and it's logging whatever we have as our User Agent. Maybe we could use the .html file to add a little script of our own?
If you're still stuck:
If you're using Firefox, "User-Agent switcher" will be useful to you here.
If you're still stuck:
Remember realistic 9?
Ok so we now have access to an account. That's great but we can't really do anything more. Let's look at our profile. On our profile page, looking at the URL we notice that there's a parameter called "id". What if we weren't specific about which id we wanted? It allows us to edit our profile, what if we aren't logged in?
If you've understood that, then you should have worked your way into a mod account. If we look at our mod panel, we'll notice that we've got limited SQL access. If you review your notes on your initial observations you'll notice that SQLite is being used. Ideally we'd like to run an SQL command to find usernames and passwords but how do we go about finding the names of the tables?
Use Google to look up how to list the names of all tables in a database in an SQLite system.
So we've managed to get a listing of the tables and you've probably tried using SQL commands to view the contents of those tables. The problem is, this database is just for t**r****w**r**** data. If we examine the form used to submit SQL commands it looks like we can change the value of the database! We need to find information from the BudgetServ database. Where else have you seen a database file?
Once we've figured out where the BudgetServ database is, we need to work out how we can query the BudgetServ database using the same form.
If you're stuck here's one method:
If you're still stuck:
Remember Directory Traversal?
Once we've switched the database being queried around let's try the same command as before to list all of the tables. If you've switched the database correctly then we shouldn't get any errors. If it hasn't worked then it's a case of playing around with the path to the database until you get it right.
Once that's done then you should be able to obtain the usernames and passwords. Note them down and let's try and log into BudgetServ using the login form that you found when looking around initially. It's worth at least trying to log in as space46 but again we're told that the account is suspended so we try logging in as someone else.
Upon logging in we're presented with a basic admin panel. You'll notice that most of the features have been disabled because of a security breach. You're able to list files from the account or download them as you wish. How could you exploit this to download space46's file?
If you're stuck:
Try downloading an image. Watch what goes on!
If you're still stuck:
What did you have to remember to switch the databases?
And there you have it. Realistic 11 completed. I'll add that I know it's unnecessary to go through the whole logging script procedure but it makes it a little more fun and allows for a bit of extra thinking.
I hope you enjoyed the article as much as I enjoyed writing it and feel free to edit out anything that might be considered too big of a spoiler.
Cast your vote on this article 10 - Highest, 1 - Lowest