This page has been robot translated, sorry for typos if any. Original content here.

Quest For Hack


Quest For Hack is fun, like Try2Hack, created by our guys from GipsHackers Crew. Here is the link: http://quest.gipshack.ru/index.htm. According to the request of one of the developer, the keys are not disclosed in any way. Showing only the route of passage ...

Let's start with the source.
Guess the default administrative password. Here we trust no one has any problems:

1) Additionally, the main level. Yandex.
As we are also offered, we will use the administration form. After that, open the source page of the administration. Additionally, we look at the source of the java script:

function Test (passwd) {
if (passwd == ...
window.alert ('ok. you hacked me');
location.href = "

Substitute the received password, click the knob, or move to the link specified in location.href. Everything. The key to the next level with us.

2) MICROSOFT
Browse through the index.html resource. We observe the algorithm for comparing the login and password, then we are looking for them. Observe an interesting line:
SCRIPT src = logo.gif
See this logo.gif. We get the login and password. Substitute the data in the form. We press Enter, we get key ...

3) Matrix
We will not consider the fakes in any way .. Therefore, at once to the point. Go to the chat. See the source. Observe the following line:
param name = movie value = "passwd.swf".
Download this flash drive. Then either directly by some editor (not HEX), or by a program that tears the flash drive apart. I opened in the editor (FAR). Observe a line with the word KEY .. Everything, the key is with us ...

4) Macromedia
Everything is quite simple here. We observe in the middle of the flash drive. It is allowed to swing (see resource), but allowed easier. In Opera, right click on the flash. Remove the Loop daw. Right click again. Click Forward. Everything. The key is with us.

5) Sun Microsystem
Go to Downloads. Download the sunmicro.exe file. Take every resource explorer. I used the built-in ShadowScan. Enjoying resources. We find what we need. We save it as bmpshku. Open .., Kay with us.

6) NASA
We when entering at once bla bla bla password is requested. Take the rocking chair (even FlashGet) download this index.html. Open the editor (notepad). Observe these lines:
login = prompt ("Password protected. Enter login first:", "");
if (login ==
Again, go to the page and enter what later login == without quotes undoubtedly. We are on the page. Here we are offered to use the administration form. We look at the resource. We see:
input type = "reset" value = "enter here" onClick = "resultion (entr.login.value, entr.passwd.value, entr.NEWURL.value)"
Those. our data is passed to the resolution function, we would find its description: Observe the line:
script language = Javascript src = base64.js
We look this file. We observe the resolution function there. We are interested in two lines: var entrance = hexcode (login); also if (password == entrance) It is clear that there must be a hexadecimal code in the login that we entered in the password. I entered 49 -31. Everything. Our key.

7) FBI
During the main access to the page, we acquire the following cookies:
Set-Cookie: cookietester = 1
We see the message: Come back again. So do the same. When updating the page, it leaves us:
Cookie: cookietester = 1
Cookie2: $ Version = "1"
We get:
Set-Cookie: cookietester = 2.
See You are only 1 times visit this page. Try until 3000 visits. We do it again. From us leaves:
Cookie: cookietester = 2
Cookie2: $ Version = "1"
We get:
Set-Cookie: cookietester = 3
The fact is that in the cookies we have hidden the counter of visits, i.e. how many once we went to the page. The line Try until 3000 visits, tells us that we need to go there 3000 times to get the key. At that time, we do this by changing the cookie: cookietester = 2, to cookie: cookietester = 3000. Additionally, go to the page again. Watching OK. The key for the next level is ...
Those. to get the key, we must indicate how we have been here 3000 times. I made this request (worked through a proxy):
GET http://quest.gipshack.ru/hackme/3/fbi/index.php HTTP / 1.0
User-Agent: Opera / 6.0 (Windows 2000; U) [en]
Host: quest.gipshack.ru
Accept: text / html, image / png, image / jpeg, image / gif, image / x-xbitmap, * / *
Accept-Language: en, ru
Accept-Charset: windows-1252; q = 1.0, utf-8; q = 1.0, utf-16; q = 1.0, iso-8859-1; q = 0.6, *; q = 0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *; q = 0
Referer: http://quest.gipshack.ru/hackme/index.php
Cookie: cookietester = 3000
Cookie2: $ Version = "1"
Pragma: no-cache
Cache-Control: no-cache
Proxy-Connection: Keep-Alive

The key resorts to the objection in return for the annoying message;).

8) CIA
It's simple. Use exactly: Mozilla / 5.0 (compatible; Opera 7.01; UNIX). Those. change User-Agent value: to Mozilla / 5.0 (compatible; Opera 7.01; UNIX). We get: Yor system is OK, but address, you came from, must be 212.215.125.126. Then we are asked to come with 212.215.125.126. We falsify the Referer variable: 212.215.125.126. Go to the page again, our key is also%).

9) White House
We go. But do not climb as we were prompted to the administrative entrance. In another way, then you will have to resolve another problem;) We go at once to the entrance for users. There we get an error message: Warning: Too many connections to database 'db_user.inc'. Try to login later !. Substitute in url db_user.inc. We look. Now we do db_admin.inc. Here they are our login and password. Now we are boldly moving into the entrance for admins and also entering the data obtained. We get the key.

10) Pentagon
Here also reached the final level;). After polazili, clicked, we notice that in the user input works the script view.pl, the parameter to which is the route to the file. Catching view source admin.pl. We substitute, we get:
http://gipshack.ru/cgi-bin/view.pl?path_to_file=admin.pl&Submit=View
We look. We see that fake, but it is also necessary. Here we are shown as a hint the main work of the script. We understand the logic of the script. We observe that the user also takes a pass (according to the idea of ​​the creators of the game) from / etc / passwd. We are trying to get it.view.pl? Path_to_file = / etc / passwd? Does not work. We are trying a relative path, let's go to view.pl?path_to_file=../../../etc/passwd, now JTR work. In 5 minutes he decrypts the password. The obtained data is substituted into the admin form. It seems we passed =)

Do not think that everything was so easy. There were also fakes, there were premises in which place I wanted to hammer my head about Claudia 8). Just here there are ready-made solutions. But it is much more interesting to go through everything by yourself or with someone in the company, also this article is only for those who stood firmly on any of the levels.
And the overall guys from GipsHackers Crew are great. Continue to further develop your project! Good luck;).

PS
Thanks to all those with whom we shared this fun.

Posted by: r4ShRaY


Material published by permission of DHGROUP (http://www.dhgroup.org)