Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what’s going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.
The nmap scan:
The nikto scan:
I tried but was never able to insert a php backdoor using phpmyadmin. Later when I used sqlmap to get an –os-shell, I discovered that there wasn’t a writable location to put a shell.
On to the webroot:
The main page at http://192.168.254.130/ has a form for username and password. I read the source and found:
<center> <form method=”post” action=”login.php”> <input type=”text” name=”usr” value=”” placeholder=”Username”> <input type=”password” name=”pw” value=”” placeholder=”Password”> <input type=”submit” name=”commit” value=”Login”> </form> </center> <div style=”color: #021D29;”> Some f0rms are easier than others. This one was just a means to get to the next level so there was no need for her to apply her full set of skills or fake credentials. Manufacturing a bo0le4n response would probably be enaugh to let her pass. </div>
In the Username field I inserted “‘ OR ‘1’=’1′;– ” (note the space after the second hyphen) and landed at URL:
When reading the source of this page I find:
<!– This bot was looking for a Sosū User Agent Identifier she had cracked weeks ago, easy sauce, just a simple md5 hash of the first 7 digits of pi. It was basically common knowledge to the entities moving in these areas but obscurity does create a, albeit virtual, layer of security. –>
echo -n 3.141592 | md5sum
Since I was proxying my browser through Burp Suite, I set the Burp proxy to intercept then refreshed the page and replaced the user agent in the request with the md5sum above.
I landed at URL /2_eccbc87e4b5ce2fe28308fd9f2a7baf3/
In the page I noticed:
<p> Mesmerized by the experience she moved around the newly unlocked ever changing outer layer of the company network.<br> Diverted on a conscious level, her subconscious was working hard on finding the next piece of the puzzle.<br> A realisation started to form. She needed to penetrate the next circle, blocked of to unauthorized access.<br> But she felt a presence of something left behind. Like breadcrumbs, not intentional, but something forgotten by an incomplete piece of code to handle access. </p>
Breadcrumbs? Could that be referring to cookies?
I refreshed the page again. Take a look at the cookie value in Burp:
I landed at URL /3_e4da3b7fbbce2345d7772b0674a318d5/
I viewed the page source and in the header I see: “Think, but don’t act like a robot.”
One of the first things I did when starting out at the web root was to look at robots.txt, so I already knew that level 4 URL was listed there: Disallow: /4_8f14e45fceea167a5a36dedd4bea2543
After visiting this URL and reading the source I realized that the [ EOF ] at the bottom was a link to the next level, /5_6512bd43d9caa6e02c990b0a82652dca/.
This page has the location of the next level right out in the open:
/*”Someone didn’t bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and…” – The Plague*/
This was obviously a hint to the Hackers movie. I googled “The Plague most-used passwords” and found the answer on IMDB. The password is god.
The hint on this page is in the last paragraph.