Basic 1 to 17

Basic 1 to 17

By SySTeM | 104202 Reads |

0     0

Hey fellow hackers, this is my article on basic web hacking 1 to 17. Yes you heard right, all that are out right now. I recommend before starting you learn some basic html. So. here it is:

Basic 1 Some of you who are very stumped or are new to hacking may just think, hm what shall I do, here’s what you do! Download FireFox (http://getfirefox.com) and press Ctrl+U, or if you can’t get a hold of fire fox just find a way to view the source. Once you are in the source you need to know what a html comment looks like, for those who don’t know, it’s . So, in the source do a search (Ctrl+F) and find any comments. Once you have found the right comment, you should know what it is, work it out and then type the answer in the password box and hit submit, then basic 1 is out the way, on to basic 2.

Basic 2 Aha, Drake has learnt about the tag! If by now you still don’t know any html, an iframe allows you to embed a webpage inside a webpage. So, again we need to view the source, and then do another search, this time search “<iframe” without the quotes of course, this will show you where the iframe is reading from. When you have found it you have put the exact “src” or it in the box. Wooo basic 1 and 2 are over! Basic 3 here we come!

Basic 3 Hm, you may be thinking “What’s a user agent?”, well a user agent is your browser and platform/OS, and for this challenge you need to change your user agent, if you still haven’t got firefox and you’re in IE, you’re a bit stuck, you see, in firefox you can get an extension which lets you change your user agent (http://chrispederick.com/work/useragentswitcher/) but in IE, you have to spend a long time in regedit trying to change it. Once you have firefox installed and the user agent switcher you just have to edit the user agent to the right string (bwh3_user_agent). Woooo more points! Basic 4 now…

Basic 4 This one is pretty straight forward, as you see you get this: “ ERROR: htpasswd.php file not found in basic4/“ which tells up the file “htpasswd.php” is not in the /basic4/ directory, so all you have to do is move up a dir!

Basic 5 This one is tricky, all you have to know is that an asterisks is a wild card - it can mean anything. So for username and password it would be : and an e-mail would be @.*, so from that you should be able to figure it out.

Basic 6 Hurray! Basic 6! Unix! For this you’ll need to know some basic unix commands. The first is chmod, this command allows you to change permissions of a file. On this challenge you need to chmod the logs/logs.txt then remove it. So what we have to do is chmod it to all and execute (chmod a+x). After you’ve entered the chmod command into the first box we have to remove it, this command is “rm”. After that, you have to remove the track_logs.php file to stop you getting tracked.

Basic 7 Right, for those who just went ahead with sql injection as soon as they saw the word “sql”, you’ve wrong, but, for those who read the description through well, you may notice it says “This time Mr. Deitry decided to make a cookie login script and he said he decrypted it from ASCII encryption” For some of you, you may be thinking “What’s ASCII encryption?!” Well, I’ll give you a hint, 011000100110100101101110011000010111001001111001. Now, time to check our cookies to see what we need to decrypt! If you have alerted the cookies (javascript:alert(document.cookie), you should see that the username is sam and the pass is jillisdead, so what are you waiting for, encrypt it already! For this we will need to do a javascript injection. Enter in your address bar: javascript:void(document.cookie=“username=binary encrypted text”); Replacing the “binary encrypted text” with, yep you guessed it, the binary encrypted text! Then all that’s left is to refresh. And now time for a nice little sql injection.

Basic 8 Right, basic 8, this time we need a lengthy sql injection, not just a ’ or 1=1– injection. In the password box type any random word and hit enter, you should get an sql error. Now if you view the source and look for comments again you can see Wrong SQL query, for those who know some basics of web coding, you can put things on the end of file names with a question mark, for example: something.php?variable=something. This would work using a $_GET of the name “variable”. So, we know that this script uses $_GET[‘sql_query’]; Now if you look at the name of the variable “sql_query” you should be able to work out what it may do. So try some sql queries using the sql error we got earlier.

Basic 9 Alrighty, just over half way to finishing the basics! In basic 9’s description, you should notice that the file search utility searches for files in the directory /files/. So, if we take a look at http://www.hellboundhackers.org/challenges/basic9/files/ you can see there’s a login.php file! By now, you should know that the source of a login usually contains the user and password unless it does a database query, now, if we go back to the file searcher, and put in “login.php” we can see that it’s a real login. Obviously you can’t view the raw php code of web pages because it gets parsered, but, there’s an exploit called the Poison NULL Byte, for those who haven’t heard of it it’s when you add %00 on to the end of things, such as page.php?file=config.php%00, this could show you the source of the config.php file. In this challenge we need the source of login.php, so try searching login.php with a poison null byte on the end.

Basic 10 Ok then! You may or may not know what a proxy is, but you should know what an IP is, if not: an IP address is basically the address of your computer. And, what a proxy does is, it kind of changes your IP, for this challenge you need to get a proxy that’s in the right range to get into /admin/. Those who are on ntl internet may have problems with this challenge as ntl gives you what’s called a “shared IP”, it’s basically a proxy but it means you can’t change it :(

Basic 11 Hurrah! User agents again, this time we need to change the user agent and the OS, for those who done basic 3 with the user agent switcher plugin may notice that on the user agents that are already there it says things like: Internet Explorer 6 (Windows XP), this tells us that they are running Windows XP and using IE6, so it shows that user agent strings are like this: User agent (Operating system) Now what’s left is to change your user agent and refresh.

Basic 12 Okie doodle doo, you should notice when you click Basic 12 on the basic.php page it goes to: basic12/index.php?page=challenges.php This is called file inclusion, and this can be exploited. You see, we need to get the user:pass combination from the /protected/ folder, this folder is passworded with .htpasswd/.htaccess, so if we try and include the .htaccess file it may give us the password file :) Now once we have the hash, we need to crack it, it’s encrypted with DES, this can be easilly cracked with John The Ripper (http://openwall.com/john/). Alot of people struggled trying to crack this, as if you try and brute force it, it may take weeks, you need a wordlist, google for one. Once cracked, go to the protected folder and enter in the username and password to get the points.

Basic 13 Right, basic13, you are told to log in as George, but what’s this?! There is no George!!! Oh my god!!!!!!!! Well, being the elite hacker that you are you can manipulate the form :D So, save the page to your hard drive and modify the values in the form, don’t forget to make it post to the hbh site.

Basic 14 Hm, again with the source…in this one, when you find the comment, you are told to go to a certain file to get the “new password”. Once you’ve gotten it go and get your points.

Basic 15 Soooooo, we get told a file that hides directories, what could it be? It’s something.txt! What, you thought I’d give you the answer? tsk tsk Go and google. Once you have the real file then you can get your points wooooooooo.

Basic 16 Hooray! Only one more to go! On this one, you are told it’s vulnerable to SQL Injection, so what are you waiting for, inject already!!! Right, now you’re done.

Basic 17 Yay, the last one! For this one, you’ll notice your PC may lag when you first attempt it, that’s because it’s a java applet and a lot of PC’s hate them, especially mine, it freezes up everytime a java applet runs, but anyway, if you view the source you can see that there’s a file, basic17.class, so let’s download it. Once you have that downloaded, you’ll need to open a certain program to read it, google for a decompiler for this file type, once you have a decompiler, open this file with it and you should be able to see the java source code, if you look you should see the password, so go back to /challenges/basic17 and enter the password, a new window will open and then you’ll receive your points! Bang, another mission down :p

Thank you for reading my article, I hope it has helped you.