Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Pen Test Challenge 1 Edited


Pen Test Challenge 1 Edited

By ghostghost | 12079 Reads |
0     0

+––––––––––––––––+ | PEN TEST CHALLENGE ONE! | +––––––––––––––––+

Well lets start.

Once you get onto the challenge page there are 6 links to different parts of the site. There is also a login on the main page. To start off with let's scout the site for anything we can find which maybe use to us. Oh look an admin panel…Let's think. How do we bypass a login? What is the most obvious way? Try a few methods out and I'm sure after a while you'll get it. If you haven't got it already, think SQL.

The way an SQL Login works is basically when it connects to the database it goes something like

SELECT * FROM users WHERE user='[YOUR SQL LOGIN INJECTION HERE] AND password=[…….];

which basically shows us that it finishes off that statement and gives a logical paradox: use an expres<em></em>sion that will escape the current field in the SQL statement, always be true, and make it end the SQL statement SELECT * FROM users WHERE user=' [SQL QUEREY HERE]

So the "AND PASSWORD=" bit would be commented out.

Hopefully now you have the points from the admin login vulnerability. Let's move on.

Let's move onto another exploit. In another part of the site. The next one I'm going to explain to you is an exploit in member's tools. You need to check every field you can for this exploit. The vulnerability is generally used by attackers to exploit a site with cookie stealers. (If it helps use FireFox's addon - TamperData).

This is quite an easy one. The only problem with it is, is that you have to search every field. God, George Bush Sucks. Hopefully now you understand what I mean.

Now, we move on to another common attack used generally by script Kiddies using NetTools or other forms of skiddie programs. This is found on a different page. I'll let you find it yourself. It's located where people find out new information about the world and other events which are going on. There is information on the page which contains a lot of useful information for the exploit. The exploit should overflow the connection. How do you send lots of data at once to overflow it?!!11

That's right. All the information you need is given on the page. Check some of the information that is shared between the pages is vulnerable to an overflow. Now enter overflow data into it and VIOLIA! You've got it:)

Only two last things to do. As I'm sure you've seen in the URL is '?page=…' so that shows that its including a local or remote file. There is an exploit about this. http://en.wikipedia.org/wiki/Remote_File_Inclusion

This should tell you most everything you need to know about it. However if it doesn't RFI in very short means that you can take a file from another source and include it onto that website, so if you wanted to you could include a backdoor shell(c99, r57 are two very common ones) onto the site. Where as Local File Inclusion basically does the same but with local files(on the server's machine)(/etc/passwd, /etc/shadow). This should give you a good indication of what you need to do.

Last but not least is a cookie exploit(135 Points) which is the most important after the DoS exploit(125 Points). As I'm sure one of the first things you noticed about the site was that there was a Session ID being shown in the URL (PHPSESSID). You want to make it so the cookies think that you're admin. So using your brain, using TRUE or FALSE statements how would you trick something/someone into thinking that you are admin? Well I hope you got it. One last tip, It is somewhere which is very obvious to set a variable.

Well I hope you enjoyed my article and I would love to get some feedback on what everyone thought. I hope it helps some people. Take care. x

Shout outs to:

Cyph3rHell for helping me complete the challenge myself and just for being really cool. Zephyr_Pure for checking the article over for me and giving me some changes for it and obviously for publishing it.

Thanks guys.

Comments
ghost's avatar
ghost 16 years ago

Well, we've met the quota of 2 articles for this 1 challenge. You wrote very detailed hints and made sure to remove spoilers. If people can't figure out Pen 1 after this and the other one, they just aren't ready for the chall. Nicely done. One tip, though: Write and proof your articles in a word-processing program so that you can let it pick out your spelling and grammar errors prior to submitting it.

K3174N 420's avatar
K3174N 420 16 years ago

Handy article, to bad i've already got the 350 point max ^^ Seems to cover everything nicley…. Im sure this will be helping a lot of people :)

sam207's avatar
sam207 16 years ago

nice one… i m stuck in session part which I'll try to figure out.. Anyway rex_mundi helped me to get xss part… but didn't help me till now coz I already did 4 exploits..

sam207's avatar
sam207 16 years ago

& yeah George Bush really sucks…

ghost's avatar
ghost 16 years ago

Nice article man :) (rated good)

ghost's avatar
ghost 16 years ago

I meant (rated very good sorry) :D

clone4's avatar
clone4 16 years ago

nice article, won't compare mine and this one :) but I think together they add up to quite nicely… Just to point out one mistake you repeated, the lfi/rfi you mentioned is in fact full disclosure, but I think thats all :) Very good…

ghost's avatar
ghost 16 years ago

I'll go ahead and comment again, since I can comment on what was said so far. It actually took quite a bit of thought to approve this one, even though I did proofread it before it was submitted. clone4, I actually did compare your article and this one… I looked to see if there were any other articles on this challenge, and I found yours. The comparison fit rather well, though; while your article was vague and equally as useful as this one, I allowed this one based upon its precision, its likeness to other challenge-related articles (which can tend to be rather specific), and this concept: Two articles on a challenge are all one would ever need to get "unstuck". This fit that bill. Mosh, I know this article (and the other on this challenge, of course) pretty much ruin the challenge by leading a bit too much… however, this is the state of all of the challenge articles. Not saying that's an illustration of the way it should be, but it is how it is now until that changes… which justified the approval of this one. Now, if I see any more Pen 1 articles, I don't expect them to get through… 2 is the magic number for challenge articles. :)

K3174N 420's avatar
K3174N 420 16 years ago

"2 is the magic number for challenge articles. :)" I wonder if thats why my artical on rooting challs 1,2,3 never made it…:right:

ghost's avatar
ghost 16 years ago

Nice article man (Very Good) :D

ghost's avatar
ghost 16 years ago

I totally agree with mosh, you have voided the entire purpose of this challenge. Poor. (N)

clone4's avatar
clone4 16 years ago

hey just noticed; mine actually has less spoilers dude, matter of fact;)

yours31f's avatar
yours31f 16 years ago

nice article.

Uber0n's avatar
Uber0n 16 years ago

When you pentest for real you NEVER have any premade guides, therefore a walkthrough kinda ruins the point of this challenge imo :p

ghost's avatar
ghost 16 years ago

You never have a premade guide for any hacking… yet we have challenge guides of all kinds. The article gives away a lot for the challenge but, for those that actually want to learn from it and do it on their own, they will spend a great deal of time trying on their own and checking the forums first. For those that do just read straight from this (and ones like it) to do the challenges, they will either strive to learn as they should, or they will leave. Either way, it has no effect on the general consensus for now.

Uber0n's avatar
Uber0n 16 years ago

@moshbat: Can't wait :D

ghost's avatar
ghost 13 years ago

lulz… It's hard to translate to my language… :angry:

ghost's avatar
ghost 13 years ago

lulz… It's hard to translate to my language… :angry:

adeadeade's avatar
adeadeade 11 years ago

nice article man thanks

DAce's avatar
DAce 10 years ago

i'm not sure if i understand something wrong but it seems that none of my SQL In******* approaches seem to work…:| can somebody help me? I want to avoid spoilers here