-->
Vulnhub - Gameover Vm - Challenge 002

Vulnhub - Gameover Vm - Challenge 002

Vulnhub - Gameover Vm - Challenge 002

The minute challenge was nigh the S/S Military site Top Secret Area.

Running Nikto, told us that nosotros are allowed to usage HTTP Methods to interact amongst the site!

root@kali: # nikto -h http://192.168.2.148/Hackademic_Challenges/ch002/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.148
+ Target Hostname:    192.168.2.148
+ Target Port:        80
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.3-7+squeeze3
+ The anti-clickjacking X-Frame-Options header is non present.
+ Apache/2.2.16 appears to locomote outdated (current is at to the lowest degree Apache/2.4.7). Apache 2.0.65 (final release) in addition to 2.2.26 are too current.
+ Uncommon header 'tcn' found, amongst contents: list
+ Apache mod_negotiation is enabled amongst MultiViews, which allows attackers to easily creature strength file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The next alternatives for 'index' were found: index.php
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Web Server returns a valid answer amongst junk HTTP methods, this may drive simulated positives.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.

Running Dirbuster, to detect closed to folders:
root@kali: # dirb http://192.168.2.148/Hackademic_Challenges/ch002/

URL_BASE: http://192.168.2.148/Hackademic_Challenges/ch002/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

---- Scanning URL: http://192.168.2.148/Hackademic_Challenges/ch002/ ----
+ http://192.168.2.148/Hackademic_Challenges/ch002/AT-admin.cgi (CODE:403|SIZE:321)                                                                                                        
+ http://192.168.2.148/Hackademic_Challenges/ch002/admin.cgi (CODE:403|SIZE:318)                                                                                                           
+ http://192.168.2.148/Hackademic_Challenges/ch002/admin.pl (CODE:403|SIZE:317)                                                                                                            
+ http://192.168.2.148/Hackademic_Challenges/ch002/cachemgr.cgi (CODE:403|SIZE:321)                                                                                                        
+ http://192.168.2.148/Hackademic_Challenges/ch002/index (CODE:200|SIZE:4884)                                                                                                              
+ http://192.168.2.148/Hackademic_Challenges/ch002/index.php (CODE:200|SIZE:4884)  

...not then much found...

Next , nosotros volition locomote looking at the code, where nosotros notice an interesting script:
     
    function GetPassInfo(){
        var madhouuuuuuuseeee = "givesacountinatoap lary"
                               

    var a = madhouuuuuuuseeee.charAt(0);  var d = madhouuuuuuuseeee.charAt(3);   var r = madhouuuuuuuseeee.charAt(16);
    var b = madhouuuuuuuseeee.charAt(1);  var e = madhouuuuuuuseeee.charAt(4);   var j = madhouuuuuuuseeee.charAt(9);    
    var c = madhouuuuuuuseeee.charAt(2);  var f = madhouuuuuuuseeee.charAt(5);   var g = madhouuuuuuuseeee.charAt(4);    
    var j = madhouuuuuuuseeee.charAt(9);  var h = madhouuuuuuuseeee.charAt(6);   var l = madhouuuuuuuseeee.charAt(11);   
    var g = madhouuuuuuuseeee.charAt(4);  var i = madhouuuuuuuseeee.charAt(7);   var x = madhouuuuuuuseeee.charAt(21);   
    var l = madhouuuuuuuseeee.charAt(11); var p = madhouuuuuuuseeee.charAt(4);   var m = madhouuuuuuuseeee.charAt(4);     
    var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10);  var d = madhouuuuuuuseeee.charAt(3);     
    var t = madhouuuuuuuseeee.charAt(18); var n = madhouuuuuuuseeee.charAt(12);  var e = madhouuuuuuuseeee.charAt(4);     
    var a = madhouuuuuuuseeee.charAt(0);  var o = madhouuuuuuuseeee.charAt(13);  var f = madhouuuuuuuseeee.charAt(5);     
    var b = madhouuuuuuuseeee.charAt(1);  var q = madhouuuuuuuseeee.charAt(15);  var h = madhouuuuuuuseeee.charAt(6);     
    var c = madhouuuuuuuseeee.charAt(2);  var h = madhouuuuuuuseeee.charAt(6);   var i = madhouuuuuuuseeee.charAt(7);     
    var j = madhouuuuuuuseeee.charAt(9);  var i = madhouuuuuuuseeee.charAt(7);   var y = madhouuuuuuuseeee.charAt(22);         
    var g = madhouuuuuuuseeee.charAt(4);  var p = madhouuuuuuuseeee.charAt(4);       
    var l = madhouuuuuuuseeee.charAt(11); var k = madhouuuuuuuseeee.charAt(10);      
    var q = madhouuuuuuuseeee.charAt(19); var n = madhouuuuuuuseeee.charAt(12);      
    var m = madhouuuuuuuseeee.charAt(4);  var o = madhouuuuuuuseeee.charAt(13);      
   
    var p = madhouuuuuuuseeee.charAt(4)
    var Wrong = (d+""+j+""+k+""+d+""+x+""+t+""+o+""+t+""+h+""+i+""+l+""+j+""+t+""+k+""+i+""+t+""+s+""+q+""+f+""+y)
   
    if (document.forms[0].Password1.value == Wrong)
        location.href="index.php?Result=" + Wrong;
    }


Reading the code, nosotros run into that clicking the Submit button, calls for a business office called GetPassInfo, which is our script.
We modify the script a flake to arrive easier on us to detect the key/password:

    function GetPassInfo(){
        var madhouuuuuuuseeee = "givesacountinatoap lary"
                               

    var a = madhouuuuuuuseeee.charAt(0);  var d = madhouuuuuuuseeee.charAt(3);   var r = madhouuuuuuuseeee.charAt(16);
    var b = madhouuuuuuuseeee.charAt(1);  var e = madhouuuuuuuseeee.charAt(4);   var j = madhouuuuuuuseeee.charAt(9);   
    var c = madhouuuuuuuseeee.charAt(2);  var f = madhouuuuuuuseeee.charAt(5);   var g = madhouuuuuuuseeee.charAt(4);   
    var j = madhouuuuuuuseeee.charAt(9);  var h = madhouuuuuuuseeee.charAt(6);   var l = madhouuuuuuuseeee.charAt(11);  
    var g = madhouuuuuuuseeee.charAt(4);  var i = madhouuuuuuuseeee.charAt(7);   var x = madhouuuuuuuseeee.charAt(21);  
    var l = madhouuuuuuuseeee.charAt(11); var p = madhouuuuuuuseeee.charAt(4);   var m = madhouuuuuuuseeee.charAt(4);    
    var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10);  var d = madhouuuuuuuseeee.charAt(3);    
    var t = madhouuuuuuuseeee.charAt(18); var n = madhouuuuuuuseeee.charAt(12);  var e = madhouuuuuuuseeee.charAt(4);    
    var a = madhouuuuuuuseeee.charAt(0);  var o = madhouuuuuuuseeee.charAt(13);  var f = madhouuuuuuuseeee.charAt(5);    
    var b = madhouuuuuuuseeee.charAt(1);  var q = madhouuuuuuuseeee.charAt(15);  var h = madhouuuuuuuseeee.charAt(6);    
    var c = madhouuuuuuuseeee.charAt(2);  var h = madhouuuuuuuseeee.charAt(6);   var i = madhouuuuuuuseeee.charAt(7);    
    var j = madhouuuuuuuseeee.charAt(9);  var i = madhouuuuuuuseeee.charAt(7);   var y = madhouuuuuuuseeee.charAt(22);        
    var g = madhouuuuuuuseeee.charAt(4);  var p = madhouuuuuuuseeee.charAt(4);      
    var l = madhouuuuuuuseeee.charAt(11); var k = madhouuuuuuuseeee.charAt(10);     
    var q = madhouuuuuuuseeee.charAt(19); var n = madhouuuuuuuseeee.charAt(12);     
    var m = madhouuuuuuuseeee.charAt(4);  var o = madhouuuuuuuseeee.charAt(13);     
   
    var p = madhouuuuuuuseeee.charAt(4)
    var Wrong = (d+""+j+""+k+""+d+""+x+""+t+""+o+""+t+""+h+""+i+""+l+""+j+""+t+""+k+""+i+""+t+""+s+""+q+""+f+""+y)
    alert(Wrong);
    if (document.forms[0].Password1.value == Wrong)
        location.href="index.php?Result=" + Wrong;
    }
GetPassInfo();  


After running the higher upwards script inwards a Javascript Interpreter, nosotros get:
 told us that nosotros are allowed to usage HTTP Methods to interact amongst the site VulnHub - GameOver vm - challenge 002

If nosotros type that in, nosotros volition teach a "Congratulations" message at the top of the page!

Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser