OWASP Hackademic Challenges Project โ€“ Challenge 2

Today’s post is going to go over the second challenge of the OWASP Hackademic Challenges Project.

Below is the scenario:

Your Country needs your help for finding the password of an enemy site that contains useful information, which if is not acquired on time, peace in our area will be at stake.

You must therefore succeed in finding the password of this military SITE.

Good luck!

Solution:

Entering the site – we get the following:

secondpage

Doing a page source we see the following:

secondchallengepagesource

secondchallengepagesource2

We see that the submit button calls the GetPassInfo JavaScript method (second screenshot).

Now we need to analyze what the method returns.

Going to an online JavaScript interpreterย we add the code along with alert statements to print what the “wrong” variable is holding.

onlineinterpreter1

onlineinterpreter2

Going back to the challenge, and entering what is in the dialog box = enter a coin to play – we get the following screenshots:

challengetwopasswords

challengetwocongrats

Looking at the address bar after the index.php – we see a parameter of result that has our password in the address bar.

Lesson learned:

  1. We used the same tactics from the first challenge. When doing this we were able to find that the submit button was calling a GetPassInfo() JavaScript method which allowed us to proceed forward
  2. After obtaining the JavaScript code, we went to an online JavaScript interpreter and entered the code adding alerts so we can see what is stored in the variables
  3. After doing this we were able to obtain the password and enter it in the input box.

The developers thought they were able to trick users by putting the password in a method. They didn’t anticipate for us to find an online JavaScript interpreter to decipher the results.

Once again – looking at the page source reigns again! ๐Ÿ™‚

OWASP Hackademic Challenges Project – Challenge 1

In my last blog post I stated that I was going to start showing my solutions to web app security questions.

My first solution will be from the OWASP Hackademic Challenges Project – Challenge 1.

Below is the scenario:

Our agents (hackers) informed us that there reasonable suspicion that the site of this Logistics Company is a blind for a human organs’ smuggling organisation.

This organisation attracts its victims through advertisments for jobs with very high salaries. They choose those ones who do not have many relatives, they assasinate them and then sell their organs to very rich clients, at very high prices.

These employees are registered in the secret files of the company as “special clients”!

One of our agents has been hired as by the particular company. Unfortunately, since 01/01/2007 he has gone missing.

We know that our agent is alive, but we cannot contact him. Last time he communicated with us, he mentioned that we could contact him at the e-mail address the company has supplied him with, should there a problem arise.

The problem is that when we last talked to him, he had not a company e-mail address yet, but he told us that his e-mail can be found through the company’s site.

The only thing we remember is that he was hired on Friday the 13th!

You have to find his e-mail address and send it to us by using the central communication panel of the company’s site.

Good luck!!!

Solution:

Entering the Logistics Company I am presented with the following:

LogisticsCompany

As you can see we need to find the code and password. Looking at the page really doesn’t give us anything to work with.

Next I look at the page source to look at the code. Maybe there are some goodies here!

pagesource

Well look at what we have here. Looking at the end of the first line we see that the font color is #FFFFFF = white. Inside this white color font it has white and rabbit. Let’s see if this is the code and password.

revealedcodepassword

loginpage

After entering our information we’re logged into the portal of Greek Logistics Company.

secretarea

Looking at the left side we see the send e-mail option. We will use this later as we need to send an email to find our captured friend.

Let’s look at the mailbox special client’s mailbox.

clientsmailbox

We see that there are five clients at Greek Logistics Company. Let’s look at theย frame source on the Special Clients’ Mailbox and see what we get.

secretgif

What do we have here? there’s a secret_area_ directory… Let’s see what’s in this directory.

apachesecret

Going to the secret_area_ directory there’s two files. A mails.gif file and a mails.txt. Our mission is to find the email of our friend so we can email them. That will probably be in the mails.txt file.

mailsgif

Opening the mails.txt file we see a list of email addresses. Re-reading the scenario we know that our friend went MIA on Friday the 13th. Looking at the list of emails one of them jumps out: Jasson Killer Friday13@JasonLives.com. Let’s use this email address and see if can connect with out kidnapped friend.

Going back to the secret area portal, we go to the send e-mail link:

email

Pressing send we get the following:

endofchallenge1

Yay! We were able to complete the challenge and able to contact our kidnapped friend.

Lessons learned:

  1. Even though the code and password were obscured by setting the text to white, this still didn’t stop us from gaining entry to the portal. When you’re unsure on how to proceed, look at the page source. Unfortunately, developers leave a lot of gems that should not be there.
  2. Once we gained entry into the secret portal. We looked at the frame source, and noticed a secret directory. Again, the developers left valuable gems for us to continue
  3. Finally when we went to Apache server we noticed two files. Looking at the scenario we were able to skip the first file as it was just a gif. The second file was what we were after… it had the list of email addresses
  4. Opening this file and re-reading the scenario we were able to find that the email address we wanted was from Jason (Friday the 13th).

Whenever you’re stuck- ALWAYS LOOK AT THE PAGE SOURCE! ๐Ÿ™‚

Updates…

I’ll start this post by being truthful… I honestly forgot about this blog post. At the time I was an application developer looking to transfer into the Information Security field. This was about 5 years ago. So where am I today? I’m currently in the Information Security field as an Application Security Tester working on a DevOps pipeline. As the tagline of this blog states I still want to become a penetration tester.

You, the reader might be wondering – why? I look at penetration testing as a game (I’m a gamer at heart). I have this console, and I know what I need to do (gain r00t), but the process of doing it is left up to the penetration tester.

I still love web application penetration testing – but I would also love to get into mobile penetration testing since EVERYONE has a mobile phone.

So… how do I want to revamp this site? I want to show my skills. I will start with showing my solutions to vulnerable virtual machines. My first would be the OWASP Hackademic Challenge. This challenge happened about 4 years ago, but each challenge illustrates the OWASP Top Ten, and I think this will be a good introduction to show how an application developer is STILL making the transition to a penetration tester. ย ๐Ÿ™‚