The minute challenge was nigh the S/S Military site Top Secret Area.
Running Nikto, told us that nosotros are allowed to usage HTTP Methods to interact amongst the site!
root@kali: # nikto -h http://192.168.2.148/Hackademic_Challenges/ch002/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.148
+ Target Hostname: 192.168.2.148
+ Target Port: 80
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.3-7+squeeze3
+ The anti-clickjacking X-Frame-Options header is non present.
+ Apache/2.2.16 appears to locomote outdated (current is at to the lowest degree Apache/2.4.7). Apache 2.0.65 (final release) in addition to 2.2.26 are too current.
+ Uncommon header 'tcn' found, amongst contents: list
+ Apache mod_negotiation is enabled amongst MultiViews, which allows attackers to easily creature strength file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The next alternatives for 'index' were found: index.php
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Web Server returns a valid answer amongst junk HTTP methods, this may drive simulated positives.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
Running Dirbuster, to detect closed to folders:
root@kali: # dirb http://192.168.2.148/Hackademic_Challenges/ch002/
URL_BASE: http://192.168.2.148/Hackademic_Challenges/ch002/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
---- Scanning URL: http://192.168.2.148/Hackademic_Challenges/ch002/ ----
+ http://192.168.2.148/Hackademic_Challenges/ch002/AT-admin.cgi (CODE:403|SIZE:321)
+ http://192.168.2.148/Hackademic_Challenges/ch002/admin.cgi (CODE:403|SIZE:318)
+ http://192.168.2.148/Hackademic_Challenges/ch002/admin.pl (CODE:403|SIZE:317)
+ http://192.168.2.148/Hackademic_Challenges/ch002/cachemgr.cgi (CODE:403|SIZE:321)
+ http://192.168.2.148/Hackademic_Challenges/ch002/index (CODE:200|SIZE:4884)
+ http://192.168.2.148/Hackademic_Challenges/ch002/index.php (CODE:200|SIZE:4884)
...not then much found...
Next , nosotros volition locomote looking at the code, where nosotros notice an interesting script:
function GetPassInfo(){
var madhouuuuuuuseeee = "givesacountinatoap lary"
var a = madhouuuuuuuseeee.charAt(0); var d = madhouuuuuuuseeee.charAt(3); var r = madhouuuuuuuseeee.charAt(16);
var b = madhouuuuuuuseeee.charAt(1); var e = madhouuuuuuuseeee.charAt(4); var j = madhouuuuuuuseeee.charAt(9);
var c = madhouuuuuuuseeee.charAt(2); var f = madhouuuuuuuseeee.charAt(5); var g = madhouuuuuuuseeee.charAt(4);
var j = madhouuuuuuuseeee.charAt(9); var h = madhouuuuuuuseeee.charAt(6); var l = madhouuuuuuuseeee.charAt(11);
var g = madhouuuuuuuseeee.charAt(4); var i = madhouuuuuuuseeee.charAt(7); var x = madhouuuuuuuseeee.charAt(21);
var l = madhouuuuuuuseeee.charAt(11); var p = madhouuuuuuuseeee.charAt(4); var m = madhouuuuuuuseeee.charAt(4);
var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10); var d = madhouuuuuuuseeee.charAt(3);
var t = madhouuuuuuuseeee.charAt(18); var n = madhouuuuuuuseeee.charAt(12); var e = madhouuuuuuuseeee.charAt(4);
var a = madhouuuuuuuseeee.charAt(0); var o = madhouuuuuuuseeee.charAt(13); var f = madhouuuuuuuseeee.charAt(5);
var b = madhouuuuuuuseeee.charAt(1); var q = madhouuuuuuuseeee.charAt(15); var h = madhouuuuuuuseeee.charAt(6);
var c = madhouuuuuuuseeee.charAt(2); var h = madhouuuuuuuseeee.charAt(6); var i = madhouuuuuuuseeee.charAt(7);
var j = madhouuuuuuuseeee.charAt(9); var i = madhouuuuuuuseeee.charAt(7); var y = madhouuuuuuuseeee.charAt(22);
var g = madhouuuuuuuseeee.charAt(4); var p = madhouuuuuuuseeee.charAt(4);
var l = madhouuuuuuuseeee.charAt(11); var k = madhouuuuuuuseeee.charAt(10);
var q = madhouuuuuuuseeee.charAt(19); var n = madhouuuuuuuseeee.charAt(12);
var m = madhouuuuuuuseeee.charAt(4); var o = madhouuuuuuuseeee.charAt(13);
var p = madhouuuuuuuseeee.charAt(4)
var Wrong = (d+""+j+""+k+""+d+""+x+""+t+""+o+""+t+""+h+""+i+""+l+""+j+""+t+""+k+""+i+""+t+""+s+""+q+""+f+""+y)
if (document.forms[0].Password1.value == Wrong)
location.href="index.php?Result=" + Wrong;
}
Reading the code, nosotros run into that clicking the Submit button, calls for a business office called GetPassInfo, which is our script.
We modify the script a flake to arrive easier on us to detect the key/password:
function GetPassInfo(){
var madhouuuuuuuseeee = "givesacountinatoap lary"
var a = madhouuuuuuuseeee.charAt(0); var d = madhouuuuuuuseeee.charAt(3); var r = madhouuuuuuuseeee.charAt(16);
var b = madhouuuuuuuseeee.charAt(1); var e = madhouuuuuuuseeee.charAt(4); var j = madhouuuuuuuseeee.charAt(9);
var c = madhouuuuuuuseeee.charAt(2); var f = madhouuuuuuuseeee.charAt(5); var g = madhouuuuuuuseeee.charAt(4);
var j = madhouuuuuuuseeee.charAt(9); var h = madhouuuuuuuseeee.charAt(6); var l = madhouuuuuuuseeee.charAt(11);
var g = madhouuuuuuuseeee.charAt(4); var i = madhouuuuuuuseeee.charAt(7); var x = madhouuuuuuuseeee.charAt(21);
var l = madhouuuuuuuseeee.charAt(11); var p = madhouuuuuuuseeee.charAt(4); var m = madhouuuuuuuseeee.charAt(4);
var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10); var d = madhouuuuuuuseeee.charAt(3);
var t = madhouuuuuuuseeee.charAt(18); var n = madhouuuuuuuseeee.charAt(12); var e = madhouuuuuuuseeee.charAt(4);
var a = madhouuuuuuuseeee.charAt(0); var o = madhouuuuuuuseeee.charAt(13); var f = madhouuuuuuuseeee.charAt(5);
var b = madhouuuuuuuseeee.charAt(1); var q = madhouuuuuuuseeee.charAt(15); var h = madhouuuuuuuseeee.charAt(6);
var c = madhouuuuuuuseeee.charAt(2); var h = madhouuuuuuuseeee.charAt(6); var i = madhouuuuuuuseeee.charAt(7);
var j = madhouuuuuuuseeee.charAt(9); var i = madhouuuuuuuseeee.charAt(7); var y = madhouuuuuuuseeee.charAt(22);
var g = madhouuuuuuuseeee.charAt(4); var p = madhouuuuuuuseeee.charAt(4);
var l = madhouuuuuuuseeee.charAt(11); var k = madhouuuuuuuseeee.charAt(10);
var q = madhouuuuuuuseeee.charAt(19); var n = madhouuuuuuuseeee.charAt(12);
var m = madhouuuuuuuseeee.charAt(4); var o = madhouuuuuuuseeee.charAt(13);
var p = madhouuuuuuuseeee.charAt(4)
var Wrong = (d+""+j+""+k+""+d+""+x+""+t+""+o+""+t+""+h+""+i+""+l+""+j+""+t+""+k+""+i+""+t+""+s+""+q+""+f+""+y)
alert(Wrong);
if (document.forms[0].Password1.value == Wrong)
location.href="index.php?Result=" + Wrong;
}
GetPassInfo();
After running the higher upwards script inwards a Javascript Interpreter, nosotros get:
If nosotros type that in, nosotros volition teach a "Congratulations" message at the top of the page!
Running Nikto, told us that nosotros are allowed to usage HTTP Methods to interact amongst the site!
root@kali: # nikto -h http://192.168.2.148/Hackademic_Challenges/ch002/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.2.148
+ Target Hostname: 192.168.2.148
+ Target Port: 80
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.3-7+squeeze3
+ The anti-clickjacking X-Frame-Options header is non present.
+ Apache/2.2.16 appears to locomote outdated (current is at to the lowest degree Apache/2.4.7). Apache 2.0.65 (final release) in addition to 2.2.26 are too current.
+ Uncommon header 'tcn' found, amongst contents: list
+ Apache mod_negotiation is enabled amongst MultiViews, which allows attackers to easily creature strength file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The next alternatives for 'index' were found: index.php
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Web Server returns a valid answer amongst junk HTTP methods, this may drive simulated positives.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
+ OSVDB-12184: /Hackademic_Challenges/ch002/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via surely HTTP requests that comprise specific QUERY strings.
Running Dirbuster, to detect closed to folders:
root@kali: # dirb http://192.168.2.148/Hackademic_Challenges/ch002/
URL_BASE: http://192.168.2.148/Hackademic_Challenges/ch002/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
---- Scanning URL: http://192.168.2.148/Hackademic_Challenges/ch002/ ----
+ http://192.168.2.148/Hackademic_Challenges/ch002/AT-admin.cgi (CODE:403|SIZE:321)
+ http://192.168.2.148/Hackademic_Challenges/ch002/admin.cgi (CODE:403|SIZE:318)
+ http://192.168.2.148/Hackademic_Challenges/ch002/admin.pl (CODE:403|SIZE:317)
+ http://192.168.2.148/Hackademic_Challenges/ch002/cachemgr.cgi (CODE:403|SIZE:321)
+ http://192.168.2.148/Hackademic_Challenges/ch002/index (CODE:200|SIZE:4884)
+ http://192.168.2.148/Hackademic_Challenges/ch002/index.php (CODE:200|SIZE:4884)
...not then much found...
Next , nosotros volition locomote looking at the code, where nosotros notice an interesting script:
function GetPassInfo(){
var madhouuuuuuuseeee = "givesacountinatoap lary"
var a = madhouuuuuuuseeee.charAt(0); var d = madhouuuuuuuseeee.charAt(3); var r = madhouuuuuuuseeee.charAt(16);
var b = madhouuuuuuuseeee.charAt(1); var e = madhouuuuuuuseeee.charAt(4); var j = madhouuuuuuuseeee.charAt(9);
var c = madhouuuuuuuseeee.charAt(2); var f = madhouuuuuuuseeee.charAt(5); var g = madhouuuuuuuseeee.charAt(4);
var j = madhouuuuuuuseeee.charAt(9); var h = madhouuuuuuuseeee.charAt(6); var l = madhouuuuuuuseeee.charAt(11);
var g = madhouuuuuuuseeee.charAt(4); var i = madhouuuuuuuseeee.charAt(7); var x = madhouuuuuuuseeee.charAt(21);
var l = madhouuuuuuuseeee.charAt(11); var p = madhouuuuuuuseeee.charAt(4); var m = madhouuuuuuuseeee.charAt(4);
var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10); var d = madhouuuuuuuseeee.charAt(3);
var t = madhouuuuuuuseeee.charAt(18); var n = madhouuuuuuuseeee.charAt(12); var e = madhouuuuuuuseeee.charAt(4);
var a = madhouuuuuuuseeee.charAt(0); var o = madhouuuuuuuseeee.charAt(13); var f = madhouuuuuuuseeee.charAt(5);
var b = madhouuuuuuuseeee.charAt(1); var q = madhouuuuuuuseeee.charAt(15); var h = madhouuuuuuuseeee.charAt(6);
var c = madhouuuuuuuseeee.charAt(2); var h = madhouuuuuuuseeee.charAt(6); var i = madhouuuuuuuseeee.charAt(7);
var j = madhouuuuuuuseeee.charAt(9); var i = madhouuuuuuuseeee.charAt(7); var y = madhouuuuuuuseeee.charAt(22);
var g = madhouuuuuuuseeee.charAt(4); var p = madhouuuuuuuseeee.charAt(4);
var l = madhouuuuuuuseeee.charAt(11); var k = madhouuuuuuuseeee.charAt(10);
var q = madhouuuuuuuseeee.charAt(19); var n = madhouuuuuuuseeee.charAt(12);
var m = madhouuuuuuuseeee.charAt(4); var o = madhouuuuuuuseeee.charAt(13);
var p = madhouuuuuuuseeee.charAt(4)
var Wrong = (d+""+j+""+k+""+d+""+x+""+t+""+o+""+t+""+h+""+i+""+l+""+j+""+t+""+k+""+i+""+t+""+s+""+q+""+f+""+y)
if (document.forms[0].Password1.value == Wrong)
location.href="index.php?Result=" + Wrong;
}
Reading the code, nosotros run into that clicking the Submit button, calls for a business office called GetPassInfo, which is our script.
We modify the script a flake to arrive easier on us to detect the key/password:
function GetPassInfo(){
var madhouuuuuuuseeee = "givesacountinatoap lary"
var a = madhouuuuuuuseeee.charAt(0); var d = madhouuuuuuuseeee.charAt(3); var r = madhouuuuuuuseeee.charAt(16);
var b = madhouuuuuuuseeee.charAt(1); var e = madhouuuuuuuseeee.charAt(4); var j = madhouuuuuuuseeee.charAt(9);
var c = madhouuuuuuuseeee.charAt(2); var f = madhouuuuuuuseeee.charAt(5); var g = madhouuuuuuuseeee.charAt(4);
var j = madhouuuuuuuseeee.charAt(9); var h = madhouuuuuuuseeee.charAt(6); var l = madhouuuuuuuseeee.charAt(11);
var g = madhouuuuuuuseeee.charAt(4); var i = madhouuuuuuuseeee.charAt(7); var x = madhouuuuuuuseeee.charAt(21);
var l = madhouuuuuuuseeee.charAt(11); var p = madhouuuuuuuseeee.charAt(4); var m = madhouuuuuuuseeee.charAt(4);
var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10); var d = madhouuuuuuuseeee.charAt(3);
var t = madhouuuuuuuseeee.charAt(18); var n = madhouuuuuuuseeee.charAt(12); var e = madhouuuuuuuseeee.charAt(4);
var a = madhouuuuuuuseeee.charAt(0); var o = madhouuuuuuuseeee.charAt(13); var f = madhouuuuuuuseeee.charAt(5);
var b = madhouuuuuuuseeee.charAt(1); var q = madhouuuuuuuseeee.charAt(15); var h = madhouuuuuuuseeee.charAt(6);
var c = madhouuuuuuuseeee.charAt(2); var h = madhouuuuuuuseeee.charAt(6); var i = madhouuuuuuuseeee.charAt(7);
var j = madhouuuuuuuseeee.charAt(9); var i = madhouuuuuuuseeee.charAt(7); var y = madhouuuuuuuseeee.charAt(22);
var g = madhouuuuuuuseeee.charAt(4); var p = madhouuuuuuuseeee.charAt(4);
var l = madhouuuuuuuseeee.charAt(11); var k = madhouuuuuuuseeee.charAt(10);
var q = madhouuuuuuuseeee.charAt(19); var n = madhouuuuuuuseeee.charAt(12);
var m = madhouuuuuuuseeee.charAt(4); var o = madhouuuuuuuseeee.charAt(13);
var p = madhouuuuuuuseeee.charAt(4)
var Wrong = (d+""+j+""+k+""+d+""+x+""+t+""+o+""+t+""+h+""+i+""+l+""+j+""+t+""+k+""+i+""+t+""+s+""+q+""+f+""+y)
alert(Wrong);
if (document.forms[0].Password1.value == Wrong)
location.href="index.php?Result=" + Wrong;
}
GetPassInfo();
After running the higher upwards script inwards a Javascript Interpreter, nosotros get:
If nosotros type that in, nosotros volition teach a "Congratulations" message at the top of the page!
