OWASP Hackademic Challenges Project – Challenge 1

In my last blog post I stated that I was going to start showing my solutions to web app security questions.

My first solution will be from the OWASP Hackademic Challenges Project – Challenge 1.

Below is the scenario:

Our agents (hackers) informed us that there reasonable suspicion that the site of this Logistics Company is a blind for a human organs’ smuggling organisation.

This organisation attracts its victims through advertisments for jobs with very high salaries. They choose those ones who do not have many relatives, they assasinate them and then sell their organs to very rich clients, at very high prices.

These employees are registered in the secret files of the company as “special clients”!

One of our agents has been hired as by the particular company. Unfortunately, since 01/01/2007 he has gone missing.

We know that our agent is alive, but we cannot contact him. Last time he communicated with us, he mentioned that we could contact him at the e-mail address the company has supplied him with, should there a problem arise.

The problem is that when we last talked to him, he had not a company e-mail address yet, but he told us that his e-mail can be found through the company’s site.

The only thing we remember is that he was hired on Friday the 13th!

You have to find his e-mail address and send it to us by using the central communication panel of the company’s site.

Good luck!!!

Solution:

Entering the Logistics Company I am presented with the following:

LogisticsCompany

As you can see we need to find the code and password. Looking at the page really doesn’t give us anything to work with.

Next I look at the page source to look at the code. Maybe there are some goodies here!

pagesource

Well look at what we have here. Looking at the end of the first line we see that the font color is #FFFFFF = white. Inside this white color font it has white and rabbit. Let’s see if this is the code and password.

revealedcodepassword

loginpage

After entering our information we’re logged into the portal of Greek Logistics Company.

secretarea

Looking at the left side we see the send e-mail option. We will use this later as we need to send an email to find our captured friend.

Let’s look at the mailbox special client’s mailbox.

clientsmailbox

We see that there are five clients at Greek Logistics Company. Let’s look at the frame source on the Special Clients’ Mailbox and see what we get.

secretgif

What do we have here? there’s a secret_area_ directory… Let’s see what’s in this directory.

apachesecret

Going to the secret_area_ directory there’s two files. A mails.gif file and a mails.txt. Our mission is to find the email of our friend so we can email them. That will probably be in the mails.txt file.

mailsgif

Opening the mails.txt file we see a list of email addresses. Re-reading the scenario we know that our friend went MIA on Friday the 13th. Looking at the list of emails one of them jumps out: Jasson Killer Friday13@JasonLives.com. Let’s use this email address and see if can connect with out kidnapped friend.

Going back to the secret area portal, we go to the send e-mail link:

email

Pressing send we get the following:

endofchallenge1

Yay! We were able to complete the challenge and able to contact our kidnapped friend.

Lessons learned:

  1. Even though the code and password were obscured by setting the text to white, this still didn’t stop us from gaining entry to the portal. When you’re unsure on how to proceed, look at the page source. Unfortunately, developers leave a lot of gems that should not be there.
  2. Once we gained entry into the secret portal. We looked at the frame source, and noticed a secret directory. Again, the developers left valuable gems for us to continue
  3. Finally when we went to Apache server we noticed two files. Looking at the scenario we were able to skip the first file as it was just a gif. The second file was what we were after… it had the list of email addresses
  4. Opening this file and re-reading the scenario we were able to find that the email address we wanted was from Jason (Friday the 13th).

Whenever you’re stuck- ALWAYS LOOK AT THE PAGE SOURCE! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s