[HTS] hackthissite realistic missions 1-5 [tutorial]

Researching, Proof of Concepts, Hacking, Console Modding and Hacking and more. No game hacking / modding here.
Post Reply
TeamRetox
Allie
Allie
Posts: 222
Joined: Sat Jun 06, 2009 3:48 pm

[HTS] hackthissite realistic missions 1-5 [tutorial]

Post by TeamRetox »

I will add more as I finish these.

1. Uncle Arnold's Local Band Review

So this dudes band is on the last place, what a noob ;o
Well, lets help him out anyway :)
Make sure you have firebug addon, its very usefull, lets have a look at the voting part.
click the inspect button and then click on the dropdown for voting:

Code: Select all

<select name="vote">
    <option value="1">1</option>
    <option value="2">2</option>
    <option value="3">3</option>
    <option value="4">4</option>
    <option value="5">5</option>
</select>
Lets edit one of those with firebug
Click on the 1 in value="1" and change it to a big number(100000 for example). Press the vote button and you're done :)

2. Chicago American Nazi Party
Ah whats that? Lame racist people? :o HAX!
First thing we're gonna do is check the pages source.
Near the bottom it says

Code: Select all

<a href="update.php"><font color="#000000">update</font></a>
hmm... update? Lets go to that page :)

Press control+a on the main page and you'll see the 'update' link :) click on it.
Hmm, a login form :o
lets enter the name of one of the fishes that posted(I took Jones)
Lets try if its vurnable to SQL injection:
username:
Jones'--
password:
djfhsjkfhjkfh

wooo we're in

3. Peace Poetry: HACKED
This one was a pain in the ass.
Keyword to solve this one is directory traversal(see basic 8 and 9)

View the page source of the haxxored page, hmm, its all cluttered up on 1 line, but theres a massive scrollbar :o
Scroll down :)

Code: Select all

<!--Note to the webmasterThis website has been hacked, but not totally destroyed. The old website is still up. I simply copied the old index.html file to oldindex.html and remade this one. Sorry about the inconvenience.-->
So we found the old page :) oldindex.html
Go to oldindex.html's source and control+a and copy it all.
now click the submit poem button, we're gonna use directory traversal to overwrite the old index.html!
name:

Code: Select all

../index.html
poem:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"        "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd"><html><head>	<title>peace be with all</title></head><body background="bg.jpg" text='#FFFFFF' link="#FFF833" vlink="#FFF833"><center><font face="verdana" size=7><b>Peace Poetry</b></font><table cellspacing=0 border=0 cellpadding=0 align="center" width=760><tr><td width=230><font face="verdana" size=2><b>"What difference does it make to the dead, the orphans and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy?" - Mahatma Gandi<br /><br />"A war is not won if the defeated enemy has not been turned into a friend."</b></font></td><td width=300 valign="top"><img src="peace.jpg" width=297 height=300></td><td width=230><font face="verdana" size=2><b>"The greatest purveyor of violence in the world today is my own government. For the sake of hundreds of thousands trembling under our violence, I cannot be silent." - Martin Luther King Jr.<br /><br />"The nationalist not only does not disapprove of atrocities committed by his own side, but he has a remarkable capacity for not even hearing about them." - George Orwell</b></font></td></tr></table><table width=600 cellspacing=0 cellpadding=0 border=0 align="center"><tr><td><font face="verdana" size=3><b>Welcome to Peace Poetry. This website features several poems crying out for freedom, liberty, justice, peace, love and understanding.  You can also submit your own poetry!<br /><br /><center><a href="readpoems.php">Read The Poetry</a> | <a href="submitpoems.php">Submit Poetry</a><br /><br /></center></b></font></td></tr></table></center></body></html>
4. Fischer's Animal Products
First thing u wanna do is check out all the links.
The 2 links on the page are using get(they retrieve stuff from the database)
The submit email button uses post.
now if u submit something random you'll see

Code: Select all

Error inserting into table "email"! Email not valid! Please contact an administrator of Fischer's
so we know the table is named email, good :)

go to the catagory page, and behind the catagory=1 paste this:

Code: Select all

UNION ALL SELECT NULL, *, NULL, NULL FROM email;
look unions up on google if you dont know what it does, basicly groups together multiple SELECT id FROM table SQL commands.
press enter and voila, list of emails is at the bottom of the page! :)
now copy them over to notepad, make em so its 1 email per line, then send a privite message to SaveTheWhales with message content the emails and you're done! :)
Last edited by TeamRetox on Sun Oct 25, 2009 5:40 pm, edited 2 times in total.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: [HTS] hackthissite realistic missions 1-2 [tutorial]

Post by Sethioz »

here's my quick guide and methods. seems like you used different method.

1.
change the vote points with firebug or some packet editor to some high value.
tamper data would do.

2.
view source and find update.php
then go there. use the most common mysql injection:
user and pass as

Code: Select all

' or 1=1--
3.
view the source and find the note.
from there go to the original page. copy the source of the oldindex
paste source into poem and as name type "../index.html"
this will replace the hacked index with the original one.


4.
insert SQL statement to see if it uses SQL or just a file.
do

Code: Select all

'
you will get that error inserting table "email"
so its SQL and table's name is "email"
we do the following SQL injection in order to read the data from email table:

Code: Select all

products.php?category=1union%20all%20select%20null,%20%20*,%20null,%20null%20from%20email;
now the trick, you need to send an actual email from your inbox. click your name, and then click your name again to get the email page.
mail to "SaveTheWhales"
subject is "emails" and then paste the emails into the message, i think it must be one per one line and no spaces.

5.
browse the site and discover admin.php
- click on database
- use firebug to inspect the submit button, there you will find directory /secret/admin.php
- admin.php does not work, so go to /secret folder
- there you find admin.bak.php, go there
- there you will find a password hash, find out what type of hash it is
- use PasswordsPro or Cain (cain & abel) to generate a random password and then compare the hash to find out that it is MD4 hash
- now you need to brute force the hash. add the hash into your cracking program, then run brute force attack, use all_alpha_numeric (it should crack in less than 5 mins, depending on your cpu)
- now grab the password and enter it in admin.php

i have also 7, 12 and 13 (only ones i looked) also there was one with zip, which i figured that can be decrypted based on another identical zip (zip with same filename and size in it), but couldnt bother with it atm.
ofcourse such methods rarely work in real situations.
voteing exploit actually does work and similiar. like the email thing in basics..and such. ofcourse i never used firebug for such things. im using tamper data, burp suite, paros or my favorite webscarab to intercept traffic. these work perfectly on chatrooms.
like the exploit in pro chatrooms where you was able to browse out of the /avatars directory and then put "../logout.php" as your avatar which forced everybody to logout.

I will only post tutorials once i have all realistic ones. i didn't want to make a mess here.
Post Reply