real 15

real 15

By ghost | 9749 Reads |

0     0

spoiler free walkthrough for mission 15 (yup, mission 15)

ok. you start the mission. some guy is asking you to find something about the latest patents of seculas ltd, weapon industry. obviously a important thing, so it's not gonna be easy. as usual, you start with index page. you look in the source, find nothing interesting. actually, nothing seems to be of any interest. wrong. check EVERY page, even the most stupid ones (like "question sent" etc.).it may take a while, and when you find it, you'll want to hit your head with a rock. in one of them , you will find something from a hidden folder ba***** . inside it will be a zip file, so download it. oh crap. it's password protected. soooo? to go any further, you will have to download pkcrack.or perhaps you could use something else, but i used pkcrack. to find it use google, simply put pkcrack. and have a postcard ready smile.gif

once you have pkcrack we can continue.

pkcrack is a plaintext attacker, zip decoder. this means that you need to have at least one file from zip in it's original form. so go check that zip you dloaded. hm, 2 folders. int***** m******* and files from misc folders or sth like that. in the first folder, you'll find 2 php includes (script with no output, of great importance, but not at this point), so you can forget about it. in the second folder, however ,youll find a sh***.php and a i****.htm . aaaah. i****.htm. that's available in original form. simply save as i****.htm into pkcrack folder, but be sure to change name into something else, like say 123.htm . you might want to use wget(dload program, google it up) if normal save as fails (you'll see later) now, there is a great tutorial on pkcrack on hts already, so check it out. alse, if you decide to use wget, check the forums, it's explained how it works over there.

once you did that, time for boring stuff. first, extract i****.htm using pkcrack. then compress 123.htm using either rar or zip(i've done it using rar) on different compressions, until your 123.htm (plaintext) is EXACTLY 12 bytes shorter than your extracted i****.htm . as side note, watch your extensions when using pkcrack, they matter.

now use pkcrack to finally get the files. (http://www.hackthissite.org/articles/read/418, great article by joeyadms)

great, you have your files. now what.

you'll certainly try your sh***.php file. uhuh!! BIG! we'll get to that soon enough. if you try to open it from www.hts.mission…bla…/15/sh***.php, good luck with that. it's a fake, as you can guess, it would be too obvious.

well, now's the time to check those scripts in int*****_m******* folder. as you can guess, int*****_m******* is a folder on the real site. and, it's forbidden. you'll see "forbidden" too many times from now. anyway, in those scripts, you find out 3 php sites, 2 have no output, and one that is exactly same name as the folder itself. you'll fins about one msg*********.txt file in f**** directory, but, as you could guess, it's all forbidden. so go to int*****_m*******/int*****_m*******.php . yip yip. admin's message. we want to read that. how? thank you for asking.

now comes a hard thing to understand. check two includes, msg_a***.php and msg_s***.php. as you see, msgs***.php calls msga***.php. now the important thing to understand is what exactly do they do.

first check the source of int*****_m*******.php to see the "username" of person who's message we want to read.

then, see this:

it sets 3 new variables, username and pass it takes from int*****_m*******.php. msg_u******* we now know (from int*****_m*******.php) and we must not change because of showmessage($msg_u*******).

then check this: if (ereg($msg_u******* . ": " . $msg_p******* . "\r*\n*$", $strLine, $regs)) $_SESSION['msga***'][$msg_u*******] = "OK";

and this : php$fp = @fopen(\"fi***/\" . $f*******, \"r\");

that is combining msg_u******* variable (admin username from int*****_m*******.php), the ": " string and msg_p******* variable into one string. then it checks the filename for that string. if it finds it, it sets your session as OK and let's you see username's messages. so we need to exploit this. once again, check sources on the seculas websites for something in aaaaaaaaaa: bbbbbbbb form what we can exploit. great, you found it. now, that aaaaaaaaa has our username in it, so it is aaausername: (EVERYTHING to the end of the line will be our password) and the filename will be the i****.htm where you found this. now we have to give all of this info to a.php. so , make your own form:

(oh before that have a int*****_m*******.php in a tab or for ie users in a window)

<form (remove )action=www.hts.mission.blabla.msga.php method=(think, you send data)> <input name="(msg_p, to find the name of variable check msga**, very logical, but do not include $)" value="" type=text> <input name="(variable for username from msga.php)" value="" type=text> <***input name="(file variable, for this one check s.php)" value="" type=text> <***input type="submit" value="send">

and? a blank page dry.gif . but hey! it's suppoased to be blank! now, if everything done correctly (filename needs to be in right directory)

go hit read messages (from admin) in int*****_m*******.php and viola. (this can be VERY irritating, but if something is wrong, go check forums or pm someone, me if neccesarry, but i cannot guaranty that i'll respond caus i'm not always on hts) now you found a***_a*** folder. and? listing is forbidden sad.gif . but hey? remember sh***.php? the fake one? what do you think, where is the right one? bingo. and so you came to right s**ll.php finally. and , once again you are prompted for password and username.

now, again, inportant thing to understand.

go check your own sh***.php

$shuser_r = "r***"; $shps_r** = "********************************"; // hash removed in this backup-file

and

$MyShellVersion = "MyShell 1.1.0 build 20010923 ".$$php_auth_u***;

be sure to understand what this is all about. MyShell 1.1.0 build 20010923 . remind you of sth? and behind is $$thing you imput. it should be obvious, but if you have problems go visit forums.

ok, su you got the r*** hash. it's double md5. either search for online md database or make your own script for this (use cain's wordlist)

so, you are in the shell. try things and laugh. then list directory.then go see files and laugh. then find view2.php and view.php .

you should also notice the chku*pa C source file while dloading everything.

now comes… the buffer overflow. google about it. ask forums about it, there is one good hint there, wickipedia has a good eplanation of what it is.

you see, in this c program, it combines username and pass into one string. and if you overcrowd it with junk data… it might put the yunk data into sth else where it wont be junk… think about it. and you want is_p***_correct to be "*" not "***********" (think, what is * gonna be this time? it's in the file)

and when you figure out what you have to do , have patience….

and that's it. it's my first article, and i really hope ot helped you. i know, somethings arent well explained, but i do not have mush time, and there is a possability of giving too much away.

from:http://www.criticalsecurity.net/index.php?showtopic=8194