But, wait... hey, isn't that your site?
That is correct. I might as well write a walkthrough myself, rather then some other dude.
Level 1
View the source (ctrl+u) in most browsers and you will see this:
function test(passwd) {
if (passwd == "easy") {
location.href = "?page=levels&level=1&pw=" + passwd;
}
else {
location.href = "?page=error";
}
}
You can easily see that the password is "easy".
Level 2
The popup prompt are in the way for viewing the source, so we will write this in the address bar:
"view-source:http://hackordie.echofish.org/?page=levels&level=2"
In the source we find:
password=prompt('LEVEL: 2\n Enter password:','');
var a = "newbie";
var b = a.substring(0,3);
if (password == b)
{
location.href= "?page=levels&level=2&pw=" + password;
}
else
{
location.href= "?page=error";
}
At first sight most people will try "newbie" as the password, but it's not. Substring(0,3) means that we take the first three characters from our "newbie" string, which will return "new" and thats the password.
Level 3
So here we need Westlife to get over 10000 points in just one vote, there are meny ways to solve this level, but the easiest was is to go in and change the html manually.
I used Google Chrome's Developer Tool (Shift+Ctrl+I). Go in and change the value of the select-input like I did in this image:
After you have changed the value to 10000 click on the page and choose number 5 on the select-input and then hit submit.
Level 4
View the source again with the view-source method I described on level 2 and you will find this JavaScript:
<script language="JavaScript" type="Text/JavaScript" src="www.hackordie.echofish.org/levels/4/password.js"></script>
<script language="JavaScript" type="Text/JavaScript">
password=prompt('LEVEL: 4\n Enter password:','');
if (password == unescape(this_is_the_pw)) {
location.href = "?page=levels&level=4&pw=" + password;
}
else {
location.href = "?page=error";
}
</script>
"this_is_the_pw" is not the password, but a variable which you need to find the value of.
We see the unescape() function which means that the password is in hex. But where is the value of this_is_the_pw?
Well we see that an external JavaScript file is included. "www.hackordie.echofish.org/levels/4/password.js", lets check it out:
"don't believe in everything you see..."
Many get fooled by this, because when people see "www" they think it's a domain name, but it's actually a folder name. So when we go to "http://hackordie.echofish.org/www.hackordie.echofish.org/levels/4/password.js" instead we get the real thing:
var this_is_the_pw = "%72%6F%66%6C";
Now go to http://www.nickciske.com/tools/hex.php and write %72%6F%66%6C in the hex field and hit decode.
Done.
Level 5
In the source we see a comment that says which file to look in, it's called "levels/5/check.php".
Lets take a look (http://hackordie.echofish.org/levels/5/check.php) In the source we see styling, but also some numbers if we look closely.
But why are not the numbers shown on the presentation page? There is a html tag named noscript that will cause this effect.
Copy the source and paste it into a new txt-file. Hit Ctrl+F and remove the noscript-tags. Save the file as .html and open with your browser.
011010000110010101111001
You can clearly see that this is binary so lets go and decode it: http://www.nickciske.com/tools/binary.php
And there you got the password!
Level 6
We take a look at the source again with "view-source:" in front of the url in the address bar again and we find:
x=prompt('LEVEL: 6\n Enter password:','');
x=new String(x + " z");
var y = "1338";
var z = "1";
var f = "y - z";
if (x == f) {
location.href = "?page=levels&level=6&pw=" + x;
}
else {
location.href = "?page=error";
}
Many will get fooled by this thinking the password is 1338 - 1 which returns 1337. But "y - z" is a text string, not integer.
So the password is basicaly "y - z", but when we try it, we fail. This is bacause of this:
x=new String(x + " z");
This means that what we write into the password promt gets a " z" tail behind it, but the result is suppose to be "y - z" so if we just write "y -" into the promt it will return "y - z".
So the password is then "y -" :)
Level 7
View the source and we find this JavaScript:
function test(passwd) {
y=String.fromCharCode(115) + String.fromCharCode(101) + String.fromCharCode(passwd.substring(0,1)*11) + String.fromCharCode(114) + String.fromCharCode(101) + String.fromCharCode((passwd.substring(0,1)*13)-1);
if (passwd.substring(1,7) == y) {
location.href = "?page=levels&level=7&pw=" + passwd;
}
else {
location.href = "?page=error";
}
}
Don't be afraid, it's not as hard as it seems.
First String.fromCharCode() returns the ASCII value of an integer, and some of these values can be collected without doing anything else:
String.fromCharCode(115) = "s"
String.fromCharCode(101) = "e"
String.fromCharCode(114) = "r"
String.fromCharCode(101) = "e"
We can set it up like this: se?re?
We also can see that the first char in the password must be an integer since the script multiplies it with other numbers. And since it's just the first char (integer) it's using only the combination of 0-9.
Then we can bruteforce this shit.
var i = 0;
while(i < 10) {
document.write(i);
document.write(
String.fromCharCode(115) +
String.fromCharCode(101) +
String.fromCharCode(i*11) +
String.fromCharCode(114) +
String.fromCharCode(101) +
String.fromCharCode((i*13)-1));
document.write("
\n");
i++;
}
Run this in your browser and it will return:
1se�re�
2se�re�
3se!re&
4se,re3
5se7re@
6seBreM
7seMreZ
8seXreg
9secret
No doubt what the password is.
Level 8
In the source you will see that an external JavaScript file is included: http://hackordie.echofish.org/levels/8/l23.php
Relax the level is not broken, it's a fake 404 file. View the source of it and you will find: "You got the password to access the next level stored on your computer, good search"
Time to check cookies...
In the address bar write "javascript:alert(document.cookie);"
You will see at the bottom: "access=look_in_your_head..."
"Head..." means header. There are many ways to view the header information, but I used Google Chrome Developer Tool. Hit Shift+Ctrl+I and goto resources and select /?page=levels&level=8
Look at the response headers:
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection:Keep-Alive
Content-Type:text/html
Date:Fri, 19 Mar 2010 19:55:58 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive:timeout=5, max=100
Pragma:no-cache
Server:Apache
The_password_is:ohyeah
Transfer-Encoding:chunked
X-Powered-By:PHP/5.2.12
And there you go :)
Level 9
We look in the source again and find:
x=prompt('LEVEL: 9\n Enter password:','');
if ( !((017232200000>>eval('0x'+x)) - (0xC3D*x+7)) ) {
location.href = "?page=levels&level=9&pw=" + x;
}
else {
location.href = "?page=error";
}
The simplest way is to just bruteforce it, and thats what we will do...
var x = 0;
while(x < 1000000) {
if ( !((017232200000>>eval('0x'+x)) - (0xC3D*x+7)) ) {
alert(x);
break;
}
x++;
}
Just run the script in the JavaScript console in your browser and you will get the answer :)
Level 10
We get an alert which tells us to find where it comes from.
By looking at the source it should be at levels/10/src.php (http://hackordie.echofish.org/levels/10/src.php) but if you open it you get a 404 (file not found).
But lets find out whats really going on here, the alert must come from somewhere.
I opened Chrome's Developer Tool and clicked the scripts tab and reloaded the page. Then I selected the src.php and this is what I found:
/* "let_me_in" */
alert('the password is at the same place as this alert');
Level 11
Time for flash!
The source tells us the location of the flash file:
view-source:http://hackordie.echofish.org/levels/11/hackme2.swf gave us jibberish. So we have to decomile it.
Download the flash file (save page as) and then download Flare (google it)
Flare is multiplatform so you can download it for Win, Mac or Linux and it's really easy to use, no worries.
When you have decompiled it you will get a file named hackme2.flr with a lot of code, but the only code we are interested in is this:
frame 1 {
function validate() {
var v1 = _root;
if (v1.password == (pass.reverse()).join('')) {
getURL('?page=level22&pw=' + v1.password, '');
} else {
v1.gotoAndPlay(2);
}
}
Stage.scaleMode = 'noScale';
var pass = ['y', 's', 'a', 'e', 's', 'a', 't', 'o', 'n'];
Key.addListener({'onKeyDown': function () {
if (Key.getCode() == 13) {
validate();
}
}});
stop();
}
and we can narrow it down even more...
var pass = ['y', 's', 'a', 'e', 's', 'a', 't', 'o', 'n'];
pass.reverse()).join('')
You should see what the password is by now, but to explain whats going on here:
The object "pass" is an array, join('') implodes the array into a string and glues it with nothing which gives us "ysaesaton" and reverse() just... yes, reverses it: notaseasy
Level 12
First we need to bypass that User-Agent check, the easiest way to do this is in Firefox. Write about:config in the address bar.
Now search for "useragent" and change the value of "general.useragent.extra.firefox" to "Hack or Die".
Now try to enter level 12 again, and after you are done you can change it back to default by clicking "reset" :)
Okey, we get sent to the website of a hate group and are suppose to crack their site. First thing we check is the admin link, but we need username and password.
The admin folder are protected with htaccess, so we need to get the info from the htpasswd file which htaccess uses.
So how are we suppose to read that file? Well their site uses page including, which we may exploit if the script are not secured enough.
Lets try to include the .htaccess file through the page include script:
http://hackordie.echofish.org/levels/12/hate/index.php?page=admin/.htpasswd
Didn't work, but no need to give up yet. The script can add a string at the end like this:
include($_GET['page'] . '.php');
We can kill that by adding "?" at the end which will tell php that whats behind the question mark are GET values.
http://hackordie.echofish.org/levels/12/hate/index.php?page=admin/.htpasswd?
and the file got included...
admin:$apr1$iOOBL...$JfAc7xtWiPh0Mlj.dNS8Y.
Now we need to crack the password.
It's a md5 (APR) hash and you can crack it with this program: OclHashcat-GUI
Level 13
We see a php error which tells us that the script is trying to include "username.phpp", which is a typo. So now we know that username.php is important. We aslo see a "remember me" checkbox which tells us that this levels are using cookies.
Trying to go directly to the file worked:
http://hackordie.echofish.org/levels/13/
Got nothing from username.php at first, but when the source was viewed I discovered another typo which let me see the source.
<PHP
$username = "admin2";
?>
So now we got the username, lets find the password. As I said before "remember me" functions use cookies, so lets check the cookies.
Write javascript:alert(document.cookie); in the address bar.
This is it:
Hackordie_remember_me = 865b02aab501e77c8ca524c9bc1cf5c4
This is clearly a md5 hash and we can find the value of it by bruteforcing it. The easiest way is to use an online bruteforce tool like http://www.cmd5.org/default.aspx
There you go!
Level 14
We see a keypad and when we type 3 numbers we get sent to ?page=levels&level=14&pw=156 this means there are a combination from 0-999, lets make a bruteforce!
javascript:document.body.innerHTML += ""; var i=0; setInterval(function(){var frame = document.getElementById('if'); frame.contentWindow.document.location = 'http://hackordie.echofish.org?page=levels&level=14&pw='+(i++)},100);void(0);
Write it in the address bar in your browser and you will succeed :)
Level 15
Here we need to manually generate a serial key, so first hit the search button and we get:
5413-09649-4236
7561-15929-8368
And now we need to find out what these have in common. It's easy to see that the middle segment is the sum of the first and last. So lets try 5000-10000-5000.
Nope not valid, lets study more. First segment is odd, middle is odd and last is even in both serials. Then lets try 5001-10001-5000...
There you go, easy!