This is my very first article on Hack This Site and English is not really my first language, so if I make a lot of language errors, well, please excuse me :).

So, you’re having problems on realistic mission 15 right? Well of course, why else would you be reading this.

OK, so lets start. But before we do, here’s a very handy hint first. Something that applies to every mission on hts. Something I always do before I start thinking too technical about a mission. So I recommend you do it as well before you start this mission. All you do, is look through EVERY page’s source, take a note of all the web pages and directories you see, and keep those notes nearby. I know it takes a while, but it certainly pays off, especially in this mission. So go right ahead and do it.

Now, after you have done that, lets start for real.

A quick word of inspiration: This mission is not at all that difficult, it is just very, very long.

(If this article helps you in any way or if you just love it do me a favor. Come one, give it a 10/10).

-Getting the ZIP-

So you ask: “How do I get the ZIP file everybody talks about.” Well, hopefully when you were looking through every page’s source, you found a directory named _b***u**_. If you did not, you’ll have to look through the sources again. But if you have found it, good for you!
Now, go to the directory. http://www.hackthissite.org/missions/realistic/15/_b***u**_/
You should see two things. A folder named images, and a ZIP file named b***u*.zip.
So there is your beloved zip file. Hurray! Just download it and extract. But oh deary me. It is password protected. Darn! But luckily, for every problem, there is a solution. This is where pkcrack comes in.

Extracting the zip

As you might, and hopefully do know, you need a program named pkcrack for this part of the mission. So a good thing would be to download it. :p
OK, so you downloaded pkcrack, good. What pkcrack does, is it is a plaintext attacker (feel free to correct me if that is not the correct term). That basically means that to crack the ZIP, it needs at least one of the files that is in the ZIP in it’s original form (unencrypted obviously). So, with that in mind, open the ZIP in winzip or whatever and see what you can find. Well, looky here! There is a file in there that is available in it’s original form. Great, problem just got a lot less trickier.
So now you need to get the index.htm page. How? Easy. Just go to the page, and go to File -> Save/Save Page As -> and save it. I don’t know about Internet Explorer, but for Firefox, you need to save it as “Web page, HTML only”, not “Web page, complete”. The size of the file should be exactly 4423 bytes. If it is not, you did something wrong. Just keep on saving the page in a different way. Come on people, its not so hard to save a web page :p. You can also try using wget, although I don’t really like it.

OK, so now you have the page saved in the correct size. Now comes the tricky part. You need to compress the file you downloaded to 1245 bytes exactly. I know this is the part where many of you are stuck at. So, go ahead and compress it.

What I used: Winace v2.65

You compress it using the normal compression (please don’t remove this admins, it has been said in the forums many times), and you also need to change the encryption method. Try them all, there aren’t that many.
Now, an important note: Every time you compressed the file and want to check the size, do NOT check the file size in properties, open it in Winzip or Winace or whatever, and check it in there. This part is so simple, but it had me stuck for a while.
Now that you have the file ZIPed to the correct size (1245), we can continue with pkcrack. First, put the ZIPed file and the b***u*.zip IN THE PKCRACK FOLDER. Now go to cmd, and cd your way to the pkcrack folder. now, type pkrack and hit enter. You will see the syntax you need to use. To get a better explanation, read the pkcrack manual. It is in the doc folder. Still in cmd, type:
-C passwordprotectedzip –c thefileinthezipthatyouhavedownloadedfromthesite –P theplaintextzip –p thefileinthezipthatyouhavezippedto1245bytes –d Unzipped.zip -*

-C is the password protected ZIP file (b***u*.zip).
-c is the file in the ZIP file that is available in plaintext format (i**e*.htm).
-P is the ZIP containing the file ZIPed to 1245 bytes.
-p is the file in the plaintext ZIP ZIPed to 1245 bytes
-d is the decrypted ZIP file that pkcrack will create if it cracks the encrypted ZIP successfully.
-* the * represents a character. to find out which one, read your pkcrack manual. This is a very important function. Without it I couldn’t unzip the ZIP.

I know many of you guys are getting errors at the –c part. This is because if you type “hello world”, cmd only sees the first word, “hello”. To make it “see” every word, you need to use quotes (“”). So now try unzipping again. for –c use: -c “isc*******/i**e*.htm” (WITH QUOTES). Note: It has to be a / and not a . The reason for this I don’t know. Maybe it is not necessary, but wouldn’t work for me.

So hopefully you have successfully unzipped b***u*.zip. If you have not, feel free to pm me.

Now, on to the rest of the mission.

Finding some kind of login page

OK, now we have done a very important part of the mission, but what now? Well, an obvious thing to do would be to look for some kind of a login page.

So as you might have guessed, the folder in the ZIP (in******_me*****), is also a folder on the site. And there is a file in that folder, with the same name as the folder itself. So go there. http://www.hackthissite.org/missions/realistic/15/in******_me******/in******_me******.php
Hurray! A login page. But how on earth do we get the passwords? Well that is actually very easy. For this part of the mission, you have a little more thinking work to do than usual. Firstly, look at the source. You will see that it sends the data it receives from your input, to a page called m****o*.php. Is that not one of the files in our ZIP? It sure is!

So the login page sends variables called ‘username’ and ‘password’ to m****o*.php.
The password it receives from you, and the username is hardcoded into the source.
Now, you have to go study the m****o*.php, to find out what it does with the variables you send it. So you see it puts the ‘password’ variable into a php variable named “$m**_p****o**”, and the username variable into a php variable named “$m**_u****a**”. It also creates a new variable named “$f****a**”. After all that is done, it calls the m***u**.php file.

As you can see, the function of m***u**.php is to check if your username and password is correct, and if it is, (very important) it sets your $_SESSION to “OK”. If the login details are not correct, it dies with the message: “wrong username/password!”

Note: the m***u**.php file only does something when your $_SESSION is NOT “OK”. This is very important to take note of!

Now the first function in the m***u**.php is just to make sure that you have entered something in the password field. If you have not, the ‘String lenth (strlen)”, is 0 and the script dies.

The second function is just to make sure you haven’t entered anything too fancy in your password or username field. It is not so important to us.

Now it starts getting interesting. The next function opens a file and stores it in a variable. The file opened is the one that is assigned to the “$f****a**” variable in m****o*.php.
Then, if variable “$f*” is not a valid file, the script dies.

Now we get to a while loop. It executes until the linereader (which is created in the loop) has not yet reached the end of the file, or if your $_SESSION has been set to “OK”, it also stops.

This function: “$s**L***=…..”. All that it does is it reads a line from the file “$f*”, and stores the line in a variable name “$s**L***”. Don’t worry about the rest.

Now we are at the most important function. What this does, is:
Your username and password are put into one string, like this : “username: password”.
Then it checks if that string is in the line that it just read from the file.
This is an important thing to understand. If the line read is “blahblahhts: isgreat”, and your username and password are “hts: isgreat”, you would get access granted. However if the line read is “blahblahhts: isgreatblah”, and your username and password are “hts: isgreat”, you would get access denied. In the last example your password should have beed “isgreatblah”.
Hopefully you understood that part. If you did not, feel free to pm me.

Exploiting the login page

Now, from what you have just learned, you should know that you need to find a page that has a “admin: somepasshere” combination. So look around the realistic 15 site and see if you can find a page with that combination (hint: start at the very first page you saw when you started this mission). Look at the page’s source, and search for “admin:”. You should find what you are looking for. Just remember, the password is the ENTIRE LINE AFTER THE “: “.

Now you know (by looking at m****o*.php) that the file that is checked whether your username and password are correct, is “m**p****o***.txt” (VERY important note: m***uth.php looks for the file in the “f**e*/” directory. If you are not sure why, check the script.

Now lets make a little HTML form:

<form action=”www.hts/missions/blahblah/m***u**.php” method="POST">
<input name="(variable for password (check m****o*.php) but without the “$”)” value="(the whole line after “admin: “)” type=text>
<input name="(variable for username (check m****o*.php) but without the “$”)”
value="admin" type=text>
<input name="(variable for the name of the file (check m****o*.php) but without the “$”)” value="(path to the file containing the correct admin: pass combination (remember: you need to go to the file from the “f**e*/” directory (directory transversal))” type=text>
<input type="submit" value="send">
</form>

Save this as html, and open it in your web browser. Click the submit button. Darn! A blank page. But we want a blank page right. Hehe.
Go back to the login page, and click the “read message” button for admin. Wow! We’re in! Great.
The reason this worked is when we made the HTML form, the m***u**.php page did find a admin: pass combination on the page we gave it, and therefore set our $_SESSION to “OK”. Oh, and I strongly recommend you use Firefox for this, I couldn’t do it with IE.

btw: If you can’t get this to work, feel free to pm me.

What now?

So you have your $_SESSION set to “OK” right, well go ahead and read the admin’s message. In the message you will see a directory name. So go there (its in missions/15/). Oh no! Forbidden. But remember that other file in misc……..? Exactly! We have found it’s location. Yay!

Exploiting the 2nd login page

So now go to http://www.hackthissite.org/missions/realistic/15/a****_***a/***ll.php . Dammit, Another login. For this part you need to go study your copy of the ***ll.php. You will see that they have removed the hash. Big problem. But not so big actually. The most important parts of the ***ll.php script for this part of the mission are these:

$***llU***_***t = "***t";
$***llP***_***t = "********************************"; // hash removed in this backup-file
$***llU***_****rs = "*****s";
$***llP***_****rs = "********************************"; // hash removed in this backup-file

$MyShellVersion = "MyShell 1.1.0 build 20010923 ".$$PHP_AUTH_USER;

From these parts you know what the username is. But the last bit is very important. If you don’t know what it does you should read up on it a bit. But basically THAT is the part we are going to exploit (big hint). So what do we want? Well the hash of course! And that little bit at the top prints out something. Lets see if we can make it print out a variable. Fo to the login page, and in the USER field, type: “$fromEmail”, and click submit. You will be prompted for login again, but this time click cancel. Damn! Nothing. Refresh the page, and login will come up again. This time try something different. We know something must work. So try: “fromEmail”. When login comes up again, click cancel. Holy Moly! Look at that! Well, hopefully you know what to do now &#61514;.
When you get the hash (remember it is double md5 (you can get this info in forums too)), crack it. Here is a nice site I found: http://gdataonline.com/seekhash.php Crack the hash, and then cack the cracked hash again. You should get your password. Now go to the ***ll.php page again, login with username and password, and voila, you’re in!

Exploiting the ***ll.php page

Scroll to the bottom of the page. Nice. We can enter commands here. So first of all, get a directory listing (linux command). OK, see that nice looking file? Go to it. Phew, another login form. These people are freekin’ paranoid!

Exploiting the last login form

This is the buffer overflow part. Go check your ***ll.php script or the forums. You will see a character everyone talks about (near the end of the alphabet). So we need to buffer overflow the password field with that character. So lets start off with 200 *’s (* is that character).

Note: if you get any error other than “Access denied!
Your IP and useragent were logged!”
You should make sure that you are logged in to hts.

So we started with 200 right. And it didn’t work. Don’t worry, just try 201. Then 202, and so on. (If you reach 250 or more you have missed it, then you have to start from 200 again).

The End

So finally you get the right amount of *’s. And you complete the mission. Well done!

PS: If this helped you in any way, or if you just plainly loved it, be sure to vote for it!!!

Over and out