Mr_H4sh

Infosec, CTF and more

Hack The Cause Solutions

A couple of days ago a friend sent me a link to a Hack Game…He knows me, I can’t resist!

The Hack Game offered by Hack The Cause is very nice, as I had fun finishing it. I advice this game to those people that knows almost nothing about web security, and for whoever has a bit of experience it might be a good refresh ;)

So, let’s start with something serious now.

LEVEL 1: Hidden In Plain Sight

Link: http://hackthecause.info/index.php/level/

The level 1 starts in this way: level-1

This is a classic. Let’s give a look at what the Hint says:

“Look in the most obvious of places”

Since you want to know more about the level, the first thing that you should do is give a look at the source code of the page, and…

<div style='display: none'><p>The Password Is 'good1Morty'</p></div>

Et voila’, the password is good1Morty

LEVEL 2: Client Side Problems

Link: http://hackthecause.info/index.php/level/two

The level 2 looks like this: level-2

The hint looks very poor of information, but it actually says everything

The title gives it away already

And it’s true. Indeed, we will find out in a minute.

If you give a look at the source code of the page, you can find a link to a javascript file

<script src="http://hackthecause.info/js/l2.js"></script>

The code of the file above looks like this

$(document).ready(function() {
	$('#level-text').html('<div style="color: white; position: absolute; top: 15px; right: 15px">Level Two</div>');

	$('#hint-btn').click(function() {
		show_hint('The title gives it away already');
	});

	$('#submit-pass').click(function() {
		if($('#pass-guess').val() == 'TisbutAFLESHwound') {
			flag_captured('three');
		} else {
			display_message('messages', 'Incorrect Password!', 1000);
		}
	});
});

As you can see, the Javascript file will check if the value of the html field with the id #pass-guess will match with the string TisbutAFLESHwound, which is the password indeed.

So, the password is TisbutAFLESHwound

LEVEL 3: Daily Crypto

Link: http://hackthecause.info/index.php/level/three

The level 3 looks like this: level-3

This time the page advices to look at the hint (thank you so much), so this is what you’ll find

YmlyZFBlcnNvbg==

Cool, looks like that is an encoded string…a base64 encoded string.

So, let’s decode it. I give you a website that I use from so many years to encode/decode strings. The website is this. Is very handy, it’s a good thing if you bookmark it.

Once decoded, we find out that the decoded string is birdPerson

So, the password is birdPerson

LEVEL 4: SQL Injection 101

Link: http://hackthecause.info/index.php/level/four

The level 4 looks like this: level-4

This looks nice, I like the title!

As you noticed, after the page is loaded this message disappears after a second:

Login as user “admin”

Perfect, now you know that you should login with username as admin. Well done.

Let’s give a look at the hint:

SELECT * FROM users WHERE username=”$user” AND password=”$pass”

Do you know what is it? Did you just say “query”? Exactly!

Of course this is not the password, but it might be the query that the PHP script behind the page executes to log you in. So…the solution must be a SQL Injection.

If you just type a single quote (‘) into the Password field, this is the error that you’ll retrieve:

level-4-error

Now let’s inject the query that you need to retrieve the password into the Password field:

' UNION ALL SELECT password FROM users WHERE username = 'admin

And that’s it, we will retrieve so the hash 70e6b5dd98d2adc6040dba47ee217184 as response from the request.

So, the password is 70e6b5dd98d2adc6040dba47ee217184

LEVEL 5: Input Modification

Link: http://hackthecause.info/index.php/level/five

The level 5 looks like this: level-5

As you notice, after the page is loaded this message disappears after a second:

Answer “yes”

You can think “All right”, so you search into the dropdown and the only option that you’ll find is a sad “No”.

Let’s give a look at the hint:

Dev tools are your friend

That’s right! The Dev tools of a browser allows you to change the html of a page “on the fly”. So, just change the value of the option “No” to “Yes”

<option>Yes</option>

For this level there’s no password, but the solution of this level is <option>Yes</option>

LEVEL 6: Cross Site Script Kiddie

Link: http://hackthecause.info/index.php/level/six

The level 6 looks like this: level-6

As you notice, after the page is loaded this message disappears after a second:

inject the code “alert(“pwn3d”)”

The level will be solved with a XSS Injection, as the title says. If you give a look at the hint, this is what you’ll find:

Repetition my dear Watson

It doesn’t sound so intuitive. Well, if you inject the code <script>alert("pwn3d")</script> the request will answer with the following response:

>alert(“pwn3d”)</script>

Looks like that the field will be sanitized server side…but it looks like that the regex used to sanitize might be ^<script. What if the hint is right? What if we actually inject <script>alert("pwn3d")</script><script>alert("pwn3d")</script>?

So, there’s no password for this level, but the solution is <script>alert("pwn3d")</script><script>alert("pwn3d")</script>

LEVEL 7: Multi Crypto

Link: http://hackthecause.info/index.php/level/seven

The level 7 looks like this: level-7

As you notice, after the page is loaded this message disappears after a second:

Look at the hint

If you give a look at the hint, this is what you’ll find

YWJGYmhjU2JlSA==

One more time, a base64 encoded string.

Once decoded from base64, this is what you’ll find:

abFbhcSbeH

But it’s not the password. This string is encrypted. And is encrypted in ROT13 Once you decrypt the password you’ll retrieve the string noSoupForU

So, the password is noSoupForU

LEVEL 8: Hash Around

Link: http://hackthecause.info/index.php/level/eight

The level 8 looks like this: level-8

As you notice, after the page is loaded this message disappears after a second:

Login as user “admin”

If you give a look at the hint, this is what you’ll find:

You need to work around the password field being hashed

Not so helpful, but I can ensure you that you’re in another level where you have to use a SQL Injection technique to go ahead. After some testing on the Password field you’ll may think that is very well sanitized, as the answer of the page will always be empty, so the last resort is the Username field.

Indeed, if you type admin ', this is the error that you’ll retrieve

level-8-error

That md5 string in the password field of the executed query explain why all your attempts were vain.

Now that we found the vulnerability, let’s execute the right query into the Username field:

admin ' UNION ALL SELECT password FROM users WHERE username = 'admin

So, since there’s no password for this level, as when you execute the query you have passed it, the solution is admin ' UNION ALL SELECT password FROM users WHERE username = 'admin

Conclusion

That’s it. This is basically the end (for now) of this hack game. I really enjoyed it, and I think it’s a good way to start playing CTF games for people that has never played to any CTF game or have basic knowledges about Web Security. For any information or comment, please do not hesitate to leave a comment.

./A

<< Older