Ninja-Security Challenge

Sometimes I like to solve puzzles. One month ago I discovered a really nice Security challenge while I was browsing during the web . For me it was a hard nutshell to break and I had a lot to think, but I had fun and  I’d like to show you my solution of that little „Hacking adventure“ 🙂


 

 

 

If you want to solve the challenge for yourself, please stop reading and try it out. If you want to see my solution feel free to continue reading 😀

My first thought was that those number pairs could be a hint to the ASCII Table. I did a short check with the first 4 Numbers and I get http. It looks like a URL! 🙂

I use a typical web based ASCII to text converter and I got this URL from the number pairs: http://dl.dropbox.com/u/10761700/{challenge.zip,challenge.bz2,admin.txt}

I download the following files:

  • challenge.zip – There is one txt file inside, but it’s protected with a password
  • challenge.bz2 – There is a binary file inside called challenge, but without file extension 
  • admin.txt – It looks like a password list

My next idea was that one of the words inside the admin.txt file could be the password for the protected txt file inside the zip archive! I did try a dictionary attack with the wordlist file admin.txt against the file challenge.zip, but it seems that I had no success with this method, because no password from the file admin.txt did match.

For this attack I did use a tool called fcrackzip (Included in Backtrack 5)

I did open the file challenge with a hexeditor and in the end of the file i could find a hint:

You have to look for the Disk-ID on freedb.org

As we can read in the FAQ of freedb.org, freedb is a database to look up CD information using the Internet. Because of that information I did try the file extension mp3 and wav. The file extension mp3 did not work, but with the file extension wav it was possible to play the file with an 11 Second sequence of a sound track. But who is the artist of that song and how can I find out that Disk-ID?

First I had to check if the file extension is correct, because it was a coincidence that wav work. A friend of me told me about a program called TrID which scans unknown binary files of their file extensions. I tried it out and I got the file extension AIFF.

I tried out different tools to identify the soundtrack, but no of them get me the song back! I wouldn’t call me an IPhone Freak, but the App Shazam did successful identify the soundtrack! I’m amazed 🙂

Let’s check the Database of freedb.org and let’s see what we get!

Disc ID: 1603eb03

The disc ID 1603eb03 was the password for the zip archive and i could successful extract the file challenge.txt!

And now let’s see what we have:

Ok, this looks like typical hexcode. To fnd it out i use a typical hex to text converter tool.

The decoded string is BASE64! A typical Sign for that are the two == at the end of the string. For more information about BASE64 or other Crypto Codes visit the website cryptool-online.

Ok, and now let’s decode the BASE64 String.

What the heck is this?
It could be encrypted Javascript Code, but I’m not sure. A quick research in google shows me that it is Javascript and this technique is often used in malicious Websites.

For the further analysis and Decryption I used a Tool called Revelo. I discovered that tool on a nice Security Blog and I run it in a virtual Windows XP Machine.

As we can see, our next Destination is http://www.ethical-intrusion.com/index.php

Now we have a Login Form where we have to enter a valid username/password combination. I start a dictionary attack with the passwords from the file admin.txt. Because of the filename I used for all passwords the username admin.

First I enter invalid credentials: Username: bla Password:bla

For this attack i use a Browser Plugin called Fireforce. It’s important that Fireforce need the textstring: “The username/password combination you have entered is invalid” to
successful identify the correct password.

Password found: m0use456g

With the discovered username/password combination I could enter the website. I can see 2 Links and one of them shows me a youtube video. I did click on play but I couldn’t understand a word because the audio seems to be reverted!

I did convert the youtube video to an mp3 file and with the software audacity I could edit the audiofile to a clear voice:

Congratulations, you’ve discovered the website and now listen carefully you have to go to
directory a98dhkjd.

Going to http://www.ethical-intrusion.com/a98dhkjd shows me a htaccess protected Directory.

Now let’s go back to the first Login page and let’s analyse the Links:
News1 is linked with: http://ethical-intrusion.com/index.php?news=news1.html
News2 is linked with: http://ethical-intrusion.com/index.php?news=news2.html

What we can see is that in both links a separate html file is loaded and displayed into the file index.php! I don’t have much experience in web vulnerabilities, but a technique called local file inclusion exists for Links like this to gain access to protected files and directories.I have used more than one try, but it was possible to read out successful the htpasswd file with a valid username and password to solve this challenge!

http://ethical-intrusion.com/index.php?news=a98dhkjd/.htaccess

http://ethical-intrusion.com/index.php?news=a98dhkjd/.htpasswd

Username: pilou
Password: there1s

And now let’s check the login Credentials!

http://www.ethical-intrusion.com/a98dhkjd

Challenge solved 🙂

Ersten Kommentar schreiben

Antworten

Deine E-Mail-Adresse wird nicht veröffentlicht.


*