Hack this site realistic web mission level 14

Hack This Site: Realistic Web Mission – Level 14

No comments

Hack This Site: Realistic Web Mission – Level 14 : today we’re looking at hack this site realistic web mission-14. unfortunately, the mission was broken when I was try to solve it. I would love for somebody to prove me wrong and show me how to complete this correctly. However, after hitting dead end after dead-end I gave and looked at a number of walkthrough. The first guide I looked at was aldeid’s. i also watched chuck Moore’s YouTube video and read this post on the official forums.

Also read : Hack This Site: Realistic Web Mission – Level 13

Introduction

We received a message from an unknown source who wants to expose Yuppers Internet Solutions for selling their user’s data. The anonymous client used to work as an intern for Yuppers but quit when they learned of their nefarious data selling activities. They weren’t able to escape with proof so they have asked us whether we’re able to hack in and find evidence of their data selling.

Message From Unknown Client | hack this site realistic web mission level 14

Exploring The Web Application

The website appears to have quite a bit going on. It has a search page, a news page, and a number of other pages. The web application appears to be using CGI scripts. CGI (common gateway interface) scripts are programs that execute as separate processes server-side.

The Web Application | Hack this site realistic web mission level 14

Web Application Exploitation — The Intended Way

As I mentioned, this mission appears to be broken. The intended way to complete this mission is to use a null byte on the news.cgi script. Using the null byte should reveal what files are in the root directory of the web application. With these files, you obtain further knowledge about the application which allows you to proceed to the next step. Unfortunately though, no matter what I tried, I couldn’t get the null byte to work. The news.cgi script has a parameter called story. The story parameter is responsible for calling news stories.

https://www.hackthissite.org/missions/realistic/14/news.cgi?story=1

4 3

The screenshot below illustrates an example of the news story parameter being used to load a story. As you can see from the URL, the story parameter is calling the 1st story which is then displayed in the box below the search form.

News Page — Story 1 | Hack this site realistic web mission level 14

To exploit this cgi script, we were supposed to append a null byte to the story parameterstory=.%00. The full stop means the current directory. Upon inputting the null byte and executing the URL, we were supposed to receive a list of the contents of the current directory. Similar to using anlsOS command injection that we have done in previous missions.

Null Byte Injection

However, this method doesn’t work. I’ve tried it with various different directory traversals and have attempted to use other escape characters. They either produce the message “Failed to load ..news” or they produce an error message saying it received malformed input. I submitted over 100 different payloads using Burp Intruder and had no success.

Error Message — Failed to load

Also read : Hack This Site: Realistic Web Mission – Level 8 walkthrough

Further Investigation

To back this up further, if we capture the request with Burp Suite and send it to the repeater tool we can test payloads quickly. The screenshot below shows that the null byte is failing to escape the CGI script as..newsis being appended to the “Failed to load” message. I tried URL encoding the payload and many other methods of getting the exploit to trigger but all were unsuccessful.

Burp Suite — Repeater

Web Application Exploitation — My Way

In order to progress further, we need to know the contents of the root directory. In order to do this another way, I used the tool DIRB with the -X flag to specify that I want to see all CGI files. Sure enough, DIRB found the administrator.cgi and the moderator.cgi scripts that are needed to move forward.

DIRB

Unfortunately, there is no way to work around the next part of the mission. This part of the mission requires you to use a null byte to read the contents of the moderator.cgi script. I tried it with the other page parameters but ended up with the same results. The example URLs below should allow you to read the contents of the different scripts. Sadly, they do not work anymore.

URL to read moderator.cgi

http://www.hackthissite.org/missions/realistic/14/news.cgi?story=moderator.cgi%00

URL to read administrator.cgi

http://www.hackthissite.org/missions/realistic/14/news.cgi?story=administrator.cgi%00

Unfortunately, as you can see from the screenshot below, these just result in error messages. Without being able to see the contents of those scripts, there is no way to progress forward in the mission without looking up the answer.

Error Message — Failed To Load

Moving Forward

If the null byte exploit would have worked then we would have been able to see the contents of the CGI script. The CGI script would have contained a username called'isadmin'. With this username, we can navigate to the moderator.cgi file and login.

Moderator.cgi Login

Upon logging in, we’re greeted with a moderator panel. The panel offers two options, View Account Info and View Email Traffic.

Moderator Panel

If we submit an asterisk or wildcard to the Account Info Page then we get a list of all the information for our current user. The first two entries are the username and password.

Account Details

Web Application — Privledge Escalation

With this information, we can navigate back to the index page of the application and use the Web Permit login form to log in to the application as'web guy'.

Upon logging in and accessing the administrator panel, we should complete the mission.

Log in page

Leave a Reply

Your email address will not be published. Required fields are marked *