Information

• Level: Realistic::14 (Yuppers Internet Solutions)
• URL: http://www.hackthissite.org/missions/realistic/14/
• Difficulty :
• Exercise: An internet start-up is rumoured to be selling user data and usage habits to advertisers while they claim the opposite. Hack in and get some proof.
• Message: You've probably heard of Yuppers Internet Solutions before. They started in 1997 and are now one of the top websites on the net. I was an intern at Yuppers for a time, but quit when I learned that the admins were selling user data and usage habits to advertisers while saying the opposite. Unfortunately, I couldn't get out of the building with any proof and don't have any high-level access. I do know, however, that much of the coding on their site was done by amateurs and is probably insecure. Can you hack in and get some proof?

Solution

Step 1: Find an admin account

Find pages

To find an acess, we try many injections in the form fields (GET method is easier). We can see that the news reader (news.cgi) accepts one parameter named "story". By injecting a dot and null byte (.%00), we can see this:

Once ordered, here is the information we get:

Text files 1.news 2.news 3.news 4.news news.txt people.txt robots.txt

Web pages about.html index.html index.php login.html

Cgi scripts adserver.cgi index.cgi moderator.cgi news.cgi people.cgi search.cgi

Htaccess .htaccess .htaccess.bak

Javascripts ad.js head.js

Directories ad_pool/ classes/ errors/ finance/ include/ mail/ partners/ yweb/

Images blank.gif blank.png finance-active.png finance.png login.png logo.ico mail-active.png mail.png news-active.png news.png people.png search-active.png search-button.png search.png signup.png tile.png yweb-active.png yweb.png

In addition, source code shows additional information:

• administrator.cgi
• blank-active.png
• index.txt
• logo.png
• people.html
• people-active.png
• strict.pm
• webpermit/

Read source code of Perl scripts

We are going to use the discovered vulnerability in the news reader (news.cgi?story=) to read moderator.cgi.

Point to http://www.hackthissite.org/missions/realistic/14/news.cgi?story=moderator.cgi%00. You should see this:

By scrolling down, we see this test:

If the function "isadmin" is not protected, the string "isadmin" should enable to grant an admin access.

Go to that page:

http://www.hackthissite.org/missions/realistic/14/moderator.cgi

And enter "isadmin" as moderator id:

In the following screen enter "*"

You should now access this screen:

Login as admin

From the welcome page, access the authentication form:

http://www.hackthissite.org/missions/realistic/14/login.html

And log in using following credentials:

• Username: webguy
• Password: reallyreallylongpasswordthatisveryveryveryhardtoguessorcrack

That works! Mission completed

Comments