Hack This Site : Realistic Web Mission – Level 11 : Today we’re looking atHack This SiteRealistic Web Mission Level 11. I didn’t enjoy this challenge as much as the others. The reason why is because the mission no longer works as intended. I suspect this may be due to improvements in browser security or changes made to the application. The challenge initially required you to steal cookies through a user agent. However, that no longer appears to be the case
We’ve received a message from Space46 who explains that their ISP has suspended their web application because they suspected they hacked another website on the server. He has requested that we recover a backup of his website which is still hosted on the server. The filename of the backup is “src.tar.gz”.
Exploring The Web Application
Navigating to the web application we can see it looks like a basic hosting provider’s website. There’s a number of navigation options but none of them appear to link to anything interesting. There is a webmail page which we could attempt to brute force if we can’t find anything else.
OS Command Injection
One thing that caught my eye was the way in which the application was calling pages. There appears to be a Perl script that is calling different files with the page parameter. You can see an example of the Perl script calling the features page below.
We can attempt to exploit this functionality and use it to our advantage by changing the value of the page parameter to a Linux operating system command. In this instance, we are going to use the ls command to list out the contents of the current directory.
As you can see from the screenshot below, the command worked and we can see the contents of the directory. We should take note of all the files listed as they could help us in the future.
Further Exploration
The results of the OS command injection showed an admin directory. Navigating to that directory reveals a login page. Unfortunately, we don’t have any credentials for it yet so we will have continue exploring the web application.
The next file in the listing is a “bs.dbase” file which appears to be a database file. Needless to say, we can’t access it but we should remember the name for later. The next directory is the “client_http_docs” directory which appears to be the directory that contains all the web applications that are being hosted. Navigating to this directory shows a number of directory listings including space46. Sadly, attempting to access this directory produces an error message informing us that the application has been suspended.
The other directories appear to serve other applications. One of these applications is the Wonder Diet as shown in the image below. Another is about a potato which is still under construction. Browsing these applications didn’t provide much that we could exploit.
The Right Web Application
The rightwayradio directory contains what appears to be a radio web application. It seems to have some basic functionality including a login form. There’s also a message on the landing age from the user “rsmith”. If we click on that user it takes us to the “userinfo” page about that user.
Exploiting Web Application Users
If we look at the URL we can deduce that the user page is being called by the id parameter in the userinfo script. Furthermore, we can see that the user “rsmith” has a user id of -1. If we experiment with the parameter, we can retrieve other users’ information.
By changing the value of the parameter from -1 to 0, we can retrieve the page for the user “aclu_bomber_08290”. As can been seen from the image below, we also have the ability to change that user’s password. Initially, I thought this was absurd as we had not authenticated. However, I have seen a lot of odd application behaviours so this shouldn’t have surprised me that much.
After changing the user’s password, we’re able to log in to their account. Their account appears to have access to a moderation page that has an input box for SQL queries. We also know, from our OS command injection, that there was a database file called bs.dbase.
If we view the page source of the application, we can see that there is a hidden parameter called sql_db which has the value of rwr.dbase. This is not the database we want to query.
However, we can modify the parameter and tell it to query the database that we want to query. We also know the location of the database because our OS command injection was run in the root of the application. By modifying the parameter and telling it to move up three directories, we should be able to query the main database.
Dumping Web Users
As this is an SQL Lite database, we need to query the sqlite_master table to find out what tables are held within the database. We can do this by running the command below. I have included the output which informs us that there is a table called web_hosting.
SELECT name FROM sqlite_master WHERE type ='table';name
web_hosting
Next, we can tell the database to dump the entire contents of the web_hosting table.
SELECT * FROM web_hosting;
As you can see from the screenshot, we were able to get a list of users, passwords, email addresses and their web_package identifiers. We can see from this information that the user wonderdiet appears to be the administrator user. Their web_package id is 1 which suggests their site was the first site created. Additionally, they have admin in their email address.
Accessing Admin Area
If we head back to the admin area that we discovered earlier. We should now be able to log in with the wonderdiet web user and their password of suckereveryminute. Once logged in to the admin area, we have a number of options including the ability to download a file.
By clicking the download link, we are redirected to a page that shows the full path of the file being downloaded. We know from the directory listing and the filename given to us by the client where the backup file is located.
By modifying the URL to point to the src.tar.gz file that the client specified, we should be able to download their backup file and complete the mission. I have included the full URL path to the file below.
[…] Also read : Hack This Site: Realistic Web Mission – Level 11 […]
[…] Also read : Hack This Site: Realistic Web Mission – Level 11 […]