Escolar Documentos
Profissional Documentos
Cultura Documentos
com/hack
Web Authentication Challenge Walkthrough
Aug 8, 2003
Johnny Long
I encourage you to try the challenge yourself, then refer to this document for
hints or spoilers. It’s more fun when you do it yourself. =)
j0hnny
http://johnny.ihackstuff.com
Johnny@ihackstuff.com
http://www.hulla-balloo.com/hack/level1/
“This level is only intended to weed out the total idiots. Enter the password and
you can advance to level 2.”
Security considerations: Always read the source code. The visual representation of the
page is not what is important from a security standpoint. Comments, especially, can be
very telling.
http://www.hulla-balloo.com/hack/level2/index.php
“Network Security Sam set up a password protection script. He made it load the
real password from an unencrypted text file and compare it to the password the
user enters. However, he neglected to upload the password file...”
Hint:
Confucius say “Always test knob before declaring door locked.” (Or was that
Yoda?)
Spoiler:
However, if a blank password is entered, you are whicked right through to level 3:
Security Considerations: Sometimes authentication works, and sometimes it
doesn’t. Don’t always assume a password field works. Never trust that
authentication works properly. Sometime it’s just plain broke.
http://www.hulla-balloo.com/hack/level3/index.php
“This time Network Security Sam remembered to upload the password file, but
there were deeper problems then that.”
Hint:
“Learn from past mistakes. Especially Sam’s.”
More hints:
Sam used the same naming conventions for this level as he did for the last level.
The password file is still named ‘password.txt’ but has been moved to the
‘/hack/level4’ directory. Unfortunately, the password file can be viewed
directly:
Figure 1: http://www.hulla-balloo.com/hack/level4/password.txt
Security Considerations:
This example is not entirely based on reality. However, certain concepts are
interesting.
• error messages are always revealing, even when they seem out of context
• humans are creatures of habit
• look for trends across a site, and maximize on them
http://www.hulla-balloo.com/hack/level4/index.php
“This time Sam hardcoded the password into the script. However, the password
is long and complex, and Sam is often forgetful. So he wrote a script that would
email his password to him automatically in case he forgot.”
Hint:
You have two options here. You could hack into hulla-balloo.com and steal
Sam’s email, or not send that email to hulla-balloo at all...
Spoiler:
Save the web page to your local machine and change this:
load the local file in your browser and click “Send password to Sam.” The email will be
sent to you. The password is 'rainbow'
http://www.hulla-balloo.com/hack/level5/index.php
“Sam has gotten wise to all the people who wrote their own forms to get the
password. Rather then actually learn the password, he decided to make his email
program a little more secure.”
Spoiler:
Save the web page to your local machine and change this:
load the local file in your browser and click “Send password to Sam.”
The password never arrives in your mailbox! Let’s investigate why...
to this:
1. Run netcat to simulate a web server running on your local machine (localhost.)
Use the command line “nc –L –p80 –v”.
2. Click the “Send” button on your local page.
3. Netcat will show what would be sent to the hulla-balloo server when you click the
“Send” button. Netcat will show something like this:
Now, if we copy these lines which were sent to the web server:
to=johnny@ihackstuff.com
the next few lines are what was sent to the server:
to=johnny@ihackstuff.com
the lines following this are what the server sent in response:
HTTP/1.1 200 OK
Date: Thu, 24 Jul 2003 19:39:12 GMT
Server: Apache/1.3.20 Sun Cobalt (Unix) Chili!Soft-ASP/3.6.2 mod_ssl/2.8.4 OpenS
SL/0.9.6b PHP/4.1.2 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25
X-Powered-By: PHP/4.1.2
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
20
Invalid referring URL. Nice try!
0
the server didn’t like what we had to say! We need to send a valid “Referer” value.
Next modify what was sent to the server. Insert this line into the header:
Referer: http://www.hulla-balloo.com/hack/level5/index.php
to=johnny@ihackstuff.com
Fire up netcat with “nc www.hulla-balloo.com 80” and paste in the above text. You
may need to press enter a few times after pasting the text. It should look like this:
The password will be sent to the email address entered. The password is 'smokehouse'.
Security Considerations: Never use a Referer value as a sole security measure. It can
be spoofed, even when used in combination with other methods.
http://www.hulla-balloo.com/hack/level6/index.php
“Network Security Sam has encrypted his password. The encryption system is publically
available and can be accessed with this form: Please enter a string to have it
encrypted.“
Spoiler:
The provided form gives you a place to test the encoding scheme.
Encrypting “aaaaaaaa” gives you “abcefghi”.
So, if we add 0 (zero, position minus one) to the ASCII decimal value of the first
character (a=97) in the plaintext, we get the same value:
97 + 0 = 97(a)
likewise, adding 1 (one) to the ASCII decimal value of the second character (98), we get
99:
98 + 1 = 99(b)
So, if we subtract 0 (zero, position one minus one) from the ASCII decimal value (102)
of the first character (f) in the encoded text, we get 102 (ASCII ‘f’):
102 – 0 = 102
likewise, subtracting 1 (one, position 2 minus one) from the ASCII decimal value (102)
of the second character (f) in the encoded text, we get 101 (ASCII ‘e’):
102 – 1 = 101
http://www.hulla-balloo.com/hack/level8/index.php
“Sam remains confident that an obscured password file is still the best idea, but he
screwed up with the calendar program. Sam has saved the unencrypted password file
in /home/sites/site18/web/hack/level8/.
However, Sam's young daughter Stephanie, has just learned to program in PHP. She's
talented for her age, but she knows nothing about security. She recently learned about
saving files, and she wrote an script to demonstrate her ability. Enter your name: “
Hint: Don’t take the bait. Some challenges may feel like they should go a certain way,
but they won’t. Make the attempt, but if there’s no sign of budging, move on.
More hints:
There are two screens to focus on. First, the php output:
“A Web file with the suffix of ".shtml" (rather than the usual ".htm") indicates a file
that includes some information that will be added "on the fly" by the server before
it is sent to you. A typical use is to include a "Last modified" date at the bottom of
the page.
“A server-side include is a variable value (for example, a file "Last modified" date)
that a server can include in an HTML file before it sends it to the requestor. If
you're creating a Web page, you can insert an include statement in the HTML file
that looks like this:
<!--#echo var="LAST_MODIFIED"-->
and the server will obtain the last-modified date for the file and insert it before the
HTML file is sent to requestors. “
Normally, there is no easy way to ‘inject’ SSI includes into a web server. However, we
can assume for a moment that Stephanie’s script may provide one way of doing this.
Enter <!--#echo var="LAST_MODIFIED"--> as a name in Stephanie’s script. The
following message is produced:
“If you are trying to use server side includes to solve the challenge, you are on
the right track: but I have limited the commands allowed to ones relevant towards
finding the password file for security reasons(because there will always be that
one person who decides to execute some rather nasty commands). So please
manipulate your code so that it is a little more pertaining to the level.”
This is not a “standard” message. Instead, the author of the web page has “dumbed
down” the use of SSI’s for practical reasons (most specifically protection of his web
server ;-) It is encouraging that SSI’s are ‘on the right track.’ A great document on SSI’s
exists here: http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html. Reading this
document, we discover that one powerful SSI include statement looks something like
this:
This example executes a shell command, specifically “pwd” or “print working directory.”
This command also produces the ‘on the right track’ message.
Remembering that we are supposed to be looking for a “Secret” file, we can turn our
focus to the ‘ls’ command:
This command, when entered as the name produces something like this:
Figure 6: <!--#exec cmd="ls" -->
REmember, though that the password file is not in the tmp/ directory, but rather another
level up. The most obvious way to get there is with something like this:
Security Considerations: Never allow unchecked user input into dynamic html.
http://www.hulla-balloo.com/hack/level9/index.php
“Network Security Sam is going down with the ship - he's determined to keep
obscuring the password file, no matter how many times people manage to
recover it. This time the file is saved in /home/sites/site18/web/hack/level9/.
In the last level, however, in my attempt to limit people to using server side
includes to display the directory listing to level 8 only, I have mistakenly screwed
up somewhere.. there is a way to get the obscured level 9 password. See if you
can figure out how...
This level seems a lot trickier then it actually is, and it helps to have an
understanding of how the script validates the user's input. The script finds the
first occurance of '<--', and looks to see what follows directly after it. If it matches
"#exec cmd="ls"-->", "#exec cmd="ls /home/sites/site18/web/hack/level8/"-->" or
"#exec cmd="ls /home/sites/site18/web/hack/level8"-->", it accepts it. If it does
not match any of the situations above, then it kicks the user out.”
Hint: Layout what, exactly, worked for the previous level. These are the keys to this
level. Provide the key to allow access to better, more relevant commands.
<!--#exec cmd="ls"-->
<!--#exec cmd="ls /home/sites/site18/web/hack/level8/"-->
<!--#exec cmd="ls /home/sites/site18/web/hack/level8"-->
At first, it seemed logical to use Unicode here. The logic goes something like this: if we
can slip some characters past the detector, perhaps we can get the detector to not
notice us. (A good reference for Unicode use on the web is here:
http://www.pemberley.com/janeinfo/latin1.html)
The “<” above is Unicode for the less-than symbol. When processed by the web
server, this command looks like this:
Although the Unicode slipped past the detector, the shtml does not execute the
command as expected. Dead end. On to another idea: command stacking. Perhaps
more than one command can be stacked one on top of another. Some simple
examples:
Notice that in each example the detector would allow the first command in each “stack.”
Both of these commands, when entered into the “Enter your name” field in level 8
produce the following result:
“Network Security Sam has decided to hardcode the password into the script. He also
started to use cookies to detect if the user is authorized to advance to the next level.
When you enter the correct password, it sets you to authorized, and if you enter an
incorrect password, it sets you to unauthorized.”
Spoiler:
Dropping in the password from the last level and sniffing the traffic, we discover that the
site is setting a cookie:
Using the techniques described earlier, this HTTP POST can be sent to the server:
password=childhood
Sadly, the challenge starts to fall apart right around level 11. Levels 11 and 12 are really
the same as level 10.
Spoiler:
Change the appropriate URLs, and try again. Simply paste in the POST to netcat like
so:
password=spiral
http://www.hulla-balloo.com/hack/level8/level8.php?fs=/hack/level8/index.php?
password=CENSORED
Final Notes:
There are easier ways to skin a cat! Thanks to Wolfman <Wolfman@deny.de> over at
http://wolfman.deny.de comes HAS (Hephaestus's Ashen Spear). According to
Wolfman:
HAS really simplifies the process of going through this challenge. Here’s Wolfman’s
comments on completing the challenge using HAS insted of Netcat:
Level 4
CGI params
to=wolfman@deny.de
Comment
Password script will allow GET as well as post
Submit buttons value is not use/check in script so can be obmitted
Level 5
CGI params
to=wolfman@deny.de
Getting Invalide referer
Go to Connection options
Custom refferer = http://www.hulla-balloo.com/hack/level5/index.php
Comment
A bit less hassle then using NetCat.
Once agian the server will allow both GET and POST.
Level 10
CGI with full path
http://www.hulla-balloo.com/hack/level11/index.php
CGI params
password=childhood
Comment
Sniffer is the natural choice, but when it's just a cookie , HAS can be used
to see it.
Connection options, check "Show headers /Debug" this will make another tab
visible that
will show all headers sendt to and from server.
Here you can find Set-Cookie: level11_authorized=no
Under Connection options you can also set your own cookies.
Custom cookie = level11_authorized=yes
To read server awnser more easy , hit Render HTM view button on leftside of
server reply.