Hackthissite/Realistic/Level10

From aldeid
Jump to navigation Jump to search

Information

Real10-1.png
  • Level: Realistic::10 (Holy Word High School)
  • URL: http://www.hackthissite.org/missions/realistic/10/
  • Difficulty : Star-1.pngStar-1.pngStar-1.pngStar-0.pngStar-0.png
  • Exercise: You get to do what every hacker has dreamed of, breaking in and changing grades! Help Zach get his grades fixed, and prove you're as "skilled" as he thinks you are.
  • Message: Hey man, it's me Zach, I need a favour from you, I'm in big trouble. If you'll remember, I go to that super uptight religious school. well, two of my teachers are failing me because my lifestyle does not fall in line with their moralistic rules for public behaviour. My gym teacher even called me a 'long-haired hippie faggot'! And if I fail any classes, I won't graduate. Listen, can you hack into the school's grade database and make it so I'm passing all my classes? I know they have this system set up on their website that allows teachers to submit grades and stuff, and I heard you pulled a few things in the past as well. Their web master was not thinking in terms of computer security when he was designing the website, so it might be easy. Or not. Please check it out here. The username to my account is 'Zach Sanchez' and my password is 'liberty638'. Thanks man!

Solution

Information

Here is the navigation graph:

index.php
 |__ listteachers.php (Staff listing)
      |__ teacherinfo.php?id=3 (Staff Information)
 |__ student.php (Student Access System)
      |__ student.php?uusername=Zach Sanchez&ppassword=liberty638&action=viewgrades&course=Computer
 |__ staff.php (Staff Access System)

Find the administrator account

In the welcome page, we find a link for the staff: staff.php. Here is the complete link:

http://www.hackthissite.org/missions/realistic/10/staff.php

In addition, we notice in the staff list that we have a list of teachers. For each one, there is additional information (teacherinfo.php?id=3). The admin account is likely to be id=1. We look for the teacher whose account corresponds to this id. It is Samantha Miller

Hackthissite-realistic-10-1-1.png

We know click on the details to get additional information.

Hackthissite-realistic-10-2-1.png

Her account is likely to be smiller since her email address is [email protected]

Connect with administrator privileges

We try to connect as Samantha Miller with login=password=smiller.

There is a message that says:

Welcome, Mrs. Samantha Miller! Please remember that access to the staff administration area is restricted to the district-supplied 'holy_teacher' web browser.

To be able to connect, we have to modify the user-agent of our browser. We can achieve this by using "User Agent Switcher" for Firefox.

Create a new profile and fill in all fields as follows:

Hackthissite-realistic-10-3-1.png

Change your user-agent by loading your new profile and refresh page. You are now able to access the administration module:

Hackthissite-realistic-10-4-1.png

It is still claiming that we need to be an administrator to access full functionalities. To do so, just change the value of the cookie as follows:

Hackthissite-realistic-10-5-1.pngHackthissite-realistic-10-6-1.png

Update grades

Click now on "Change Grades" button and access the form. In red, the values that we must change.

Hackthissite-realistic-10-9-1.pngHackthissite-realistic-10-10-1.png

Right-click on the page to view the source code and you will notice that each line is encapsulated in a form that we can not submit since submission buttons are in comments. Although, we can directly call the URL (form action parameter) and manually add the "grade" parameter in the URL:

Hackthissite-realistic-10-11-1.pngHackthissite-realistic-10-12-1.png

Do it for Bible Study (2 semesters) and Gym (Second semester) and you're done!

Comments