• Level: Realistic::5 (Damn Telemarketers !)
• URL: http://www.hackthissite.org/missions/realistic/5/
• Difficulty :
• Exercise: Telemarketers are invading people's privacy and peace and quiet. Get the password for the administrative section of the site to delete their database and return the privacy of their victims!

Message: Yo! This is Spiffomatic64 from Hackthissite.org! I'm a bit of a hacker myself as you can see, but I recently came upon a problem I couldn't resolve..... Lately I've been getting calls day and night from the telemarketing place. I've gone to their website and hacked it once deleting all of their phone numbers so they wouldn't call me anymore. That was a temporary fix but they put their database back up, this time with an encrypted password. When I hacked them I noticed everything they used was 10 years out of date and the new password seems to be a 'message digest'. I have done some research and I think it could be something like a so-called hash value. I think you could somehow reverse engineer it or brute force it. I also think it would be a good idea to look around the server for anything that may help you.

• Solution:

News section tells us that: « Google was grabbing links it shouldn't be so I have taken extra precautions. ». We deduce that there is a "robots.txt" file. This file indicates that there is a secret/ directory in which we can see a admin.bak.php file. We find a hash in this file. The exercise also tells us that technology is 10 years out of date. We think of MD4. Using Cain & Abel (tab cracker > MD4), we find the password : 3915c.

Comments