This page has been robot translated, sorry for typos if any. Original content here.

Network abbreviations


A few days back (06/13/02), some kind of a cupcake threw me the URL url http://www.try2hack.nl/level1.html , they say check your strength. I admit, each task on this site was difficult in its own way, but at that time it was interesting. To anyone who has not passed this test, I strongly recommend trying it. Well, however, those who have already tried well-being also did not reach the 10th task, read this article =)
Well, let's get started. I’ll say at once that I will describe the current solutions to the main 9 tasks, in detail I will become only on difficult and interesting ones as well.

#one.

Elementary. Here is a course on password verification js:
  <SCRIPT LANGUAGE = "JavaScript">
 function Try (passwd) {
 if (passwd == "hackerzzz") {
 alert ("Alright! On to level 2 ...");
 location.href = "levvel2.html";
 }
 else {
 alert ("The password is incorrect. Please Don't Try Again.");
 location.href = "http://www.disney.com";
 };
 }
 </SCRIPT> 
In the third line, the entered value is checked with the word "hackerzzz", which in this case plays the role of a password.

# 2

I admit, in the main eye, the task seemed to me difficult. I was mistaken =)
Fill yourself a flash drive, open it with a notebook (you can use the hex editor) and at the very bottom (addresses 00000440-00000490) we see:
txtUsername ...... Try2Hack.I .... txtPassword ...... NokiaIsGood.I .......... LLeVeLL3.html
Try2Hack Login
Password NokiaIsGood
Track. job LLeVeLL3.html

# 3

Very witty also an interesting assignment.
Here is the js'a source:
  <SCRIPT language = "JavaScript">
 pwd = prompt ("Please enter the password for level 3:", "");
 if (pwd == PASSWORD) {
 alert ("Alright! \ nEntering Level 4 ...");
 location.href = CORRECTSITE;
 } else
 {
 alert ("WRONG! \ nBack to disneyland !!!");
 location.href = WRONGSITE;
 }
 PASSWORD = "AbCdE";
 CORRECTSITE = "level4.html";
 WRONGSITE = "http://www.disney.com";
 </SCRIPT> 
It would seem that the password is "AbCdE", but how blah blah can it work if it is determined at the end? However, the variable PASSWORD at the time of verification was already defined for some reason, otherwise the interpreter would give the error "PASSWORD: no definition". Additionally, only after 20 minutes. think, a line rushed into my eyes:
<SCRIPT src = "JavaScript"> </SCRIPT>
I just could not think that "JavaScript" is a file =))) In it, as once, the true values ​​of variables also lay:
PASSWORD = "TheCorrectAnswer";
CORRECTSITE = "thelevel4.html";
WRONGSITE = "http://www.disney.com";

#four.

Poking around the applet, care attracted the line at 00000A60-00000A80. The applet read the lines from the file * level4 * (as a consequence, the displaceable sourse confirmed this). Most likely, it was a password file. Most interestingly, he continued to act with my screw. That is, the file * level4 * was either on the Internet or on my computer. And if on mine, then in what place? Correctly, either in cookie or in Temp'ah. Having cleaned also those, as well as others, we went to the page with the applet. A couple of files appeared at the pace, one of which was level4 [2] .txt.
Content:
5_level_5.html
Try2hack
AppletsAreEasy
By the way, inside the applet for eye tap was this: "txtUsername = AlmostAHacker ..... txtPassword = ZqrE01A2d" Hitrooo =)
/ * Gr33tz 2 godson * /

#five.

It is proposed to download the file level5.exe. In it you need to enter the login and password, which were obviously stored in the file itself. Opening it with a hex in an eye rushed:
http: //www.try2hack.f2s.com/login-level6.html ..... txtUsername = AlmostAHacker ..... txtPassword = ZqrE01A2d
Address: 000019F0-00001A50.
Too easy, I thought. Additionally correctly, passwords did not fit. Next came the disassembler =):
Try2Hack Login
Password OutOfInspiration
Track. job level-6.html
/ * gr33tz 2 a3oX =) * /

# 6

A very confusing task. Again blah blah it is proposed to download a program that connects to the server on your eyes and also checks your entered data for validity. On this one day, the creators honestly warn: "this is not level 5, you can't decompile this exe's."
The SpyNet sniffer came to the rescue. I will not describe how we did what (a separate article is needed), I will only post the package that interests us:
 0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST .. SRC .... E.  0010: 02 40 5F 78 40 00 71 06 14 E0 D5 13 8C 02 C2 57. @ _ X @ .q ........ W 0020: 6F F2 00 50 04 AE EC 04 FD 8C 1A 9A 11 B0 50 10 o..P .......... P.  0030: 40 7C AE D3 00 00 48 54 54 50 2F 31 2E 31 20 32 @ | .... HTTP / 1.1 2 0040: 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 53 75 6E 00 OK .. Date: Sun 0050: 2C 20 31 34 20 41 70 72 20 32 30 30 32 20 31 38, 14 Apr 2002 18 0060: 3A 32 32 3A 35 35 20 47 4D 54 0D 0A 53 65 72 76: 22:55 GMT. .Serv 0070: 65 72 3A 20 41 70 61 63 68 65 0D 0A 43 61 63 68 er: Apache..Cach 0080: 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 e-Control: max- a 0090: 67 65 3D 36 30 34 38 30 30 0D 0A 45 78 70 69 72 ge = 604800..Expir 00A0: 65 73 3A 20 53 75 6E 2C 20 32 31 20 41 70 72 20 es: Sun, 21 Apr 00B0 : 32 30 30 32 20 31 38 3A 32 32 3A 35 35 20 47 4D 2002 18:22:55 GM 00C0: 54 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 65 64 T..Last-Modified 00D0: 3A 20 57 65 64 2C 20 31 38 20 41 70 72 20 32 30: Wed, 18 Apr 20 00E0: 30 31 20 31 35 3A 32 38 3A 30 30 20 47 4D 54 0D 01 15:28:00 GMT.  00F0: 0A 45 54 61 67 3A 20 22 30 2D 63 63 2D 33 61 64 .ETag: "0-cc-3ad 0100: 64 62 32 38 30 22 0D 0A 41 63 63 65 70 74 2D 52 db280" .. Accept -R 0110: 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 43 6F anges: bytes..Co 0120: 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 32 30 ntent-Length: 20 0130 : 34 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74 4..Keep-Alive: t 0140: 69 6D 65 6F 75 74 3D 31 35 2C 20 6D 61 78 3D 31 imeout = 15, max = 1 0150: 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 00..Connection: 0160: 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 Keep-Alive..Cont 0170: 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70 ent-Type: text / p 0180: 6C 61 69 6E 0D 0A 0D 0A 00 28 45 4E 43 52 59 50 lain ..... (ENCRYP 0190: 54 49 4F 4E 20 54 59 50 45 29 0D 0A 42 2A 43 2A TION TYPE) .. B * C * 01A0: 4E 2A 2A 4E 0D 0A 0D 0A 28 55 53 45 52 4E 41 4D N ** N ... . (USERNAM 01B0: 45 29 0D 0A 61 62 61 62 61 20 61 62 62 61 62 20 E) .. ababa abbab 01C0: 62 61 61 61 61 20 61 61 61 62 62 0D 0A 0D 0A 28 baaaa aaabb ... . (01D0: 50  41 53 53 57 4F 52 44 29 0D 0A 61 62 61 62 61 PASSWORD) .. ababa 01E0: 20 61 61 61 61 61 20 61 62 62 61 61 20 61 62 62 aaaaa abbaa abb 01F0: 62 61 20 61 61 61 61 61 20 62 61 61 61 61 20 62 ba aaaaa baaaa b 0200: 61 61 62 61 20 62 61 62 62 61 0D 0A 0D 0A 28 50 aaba babba .... (P 0210: 41 47 45 29 0D 0A 61 62 61 62 61 20 61 61 62 62 AGE) .. ababa aaba 0220: 61 20 62 61 61 62 62 20 61 61 62 61 61 20 61 62 a baabb aabaa ab 0230: 61 62 61 20 62 61 61 62 62 61 61 62 62 61 61 20 aba baaab aabaa 0240: 62 61 61 62 62 20 61 61 62 61 61 20 61 62 baabb aabaa ab 
A little cropped (you try to copy from SpyNet'a), but the main share (password, login, page) is visible well. It would seem that the lesson is done, but no. All data has been encrypted: - /
(USERNAME) .. ababa abbab baaaa aaabb ....
(PASSWORD) .. ababa aaaaa abbaa abbba aaaaa baaaa baaba babba ....
I took JohnTheRipper'a also started busting ... joke =)) It was Bacon's algorithm. A complete electronic algorithm, not even encryption, but encoding:
aaaaa = a
aaaab = b
aaaba = c
aaabb = d
etc.
The result of manual decoding was:
LORD login
Pass LANPARTY
Page LEVELSEVEN.html
Learn computer science, children =)
/ * gr33tz 2 D4rkGr3y;) * /

# 7

Given capricious pearl script level7.pl. Assignment: make him believe that:
1) the page from which we got to the site: http://www.microsoft.com/ms.htm
2) we use the browser Microsoft Internet Explorer 6.72
3) UNIX / LINUX operating system
In general, the task is easy, we just need to generate such an http request, the header of which will contain this information. I.e:
Referer: http://www.microsoft.com/ms.htm
User-agent: MSIE 6.72
But with the axis a little problem. In the header, there is no field in which the kind of operating system is explicitly indicated. It is usually pulled from the User-agent. Hoping that level7.pl acts just like that, we sketched a pearl script, which sent such a request:
GET /cgi-bin/level7.pl HTTP / 1.0
Referer: http://www.microsoft.com/ms.htm
User-Agent: MSIE 6.72 (UNIX / LINUX)
Accept: * / *

And opaa =)
<A HREF="../Level-8.html"> Level 8 </A>

#eight.

Immediately attracted the name of the processing script phf.cgi. I remember a lot of hacks were on his conscience. After searching the bug truck, I found a split:
/cgi-bin/phf.pp?Qalias=x%0a/bin/cat%20/etc/passwd
The answer was:
BuiZe: Bu3kOx4cCMX2U
The password is encrypted with the usual DES. It took JTR 15 minutes to find out pas. Which, perhaps, I will not spread, who needs to - decrypt =)

#9.

On the page with the task there is an inscription:
New message for BuiZe:

Level 8 completed!
Go to irc. <*>. Org and join # <*>
There type / msg <*> begin

In other words, the battlefield is being transferred to Irk. We hid the name of the server, channel and bot for obvious (I hope everyone) reasons.

#9.

consists of many mini-tasks.
We go to them on the channel # Try2Hack.
We write "/ msg Try2Hack perfect-start"
Well, what blah blah will he give us? but here is what:
-TRY2HACK- Welcome to try2hack level 9! Decode the following lines to continue:
-TRY2HACK- Wbva # gel2unpx.yriry9. Gb trg gur xrl lbh arrq gb qrpbqr gur sbyybjvat yvar:
-TRY2HACK- GTI2MJj5YJ15DxVmERy1rQIZ =
-TRY2HACK- Tbbq yhpx, naq frr lbh ba # gel2unpx.yriry9.
decrypt yourself ... weak? Well, at that time we will not mock you at all:
http://www.degraeve.com/cgi-bin/rot13.cgi
here we also decrypted that blah blah we did:
Join # try2hack.level9. To get the key you need to decode the following line:
TGV2ZWw5LW15QkIzREl1eDVM =
Good luck, and see you on # try2hack.level9.
we begin to panic and we don’t know. what the ?
TGV2ZWw5LW15QkIzREl1eDVM =
hmm from the main glance it seemed to me it's all complicated but we remembered we wrote Mirk scripts / echo $ decode (TGV2ZWw5LW15QkIzREl1eDVM =, m) we also get Level9-myBB3DIux5L this will become our key, we go into the channel we also get a note
-LEVEL9-XXX- Welcome, I am try2hack Level9! Decode the following line to proceed:
-LEVEL9-XXX- 010011100110100101100011011001010010000001101010011011 ...
old good-natured binary ... if you do not want to decrypt manually well
http://www.nickciske.com/binary/index.php
we get "Nice job. Now type '/ msg TRY2HACK showbug' to see the bug"
well, scribble / msg TRY2HACK showbug also it illustrates us a bug such
-TRY2HACK- ovaq pgpe - CVAT pgpe: cvatercyl
-TRY2HACK- cebp pgpe: cvatercyl {avpx hubfg unaq qrfg xrl net} {
-TRY2HACK- frg qhe [rkce [havkgvzr] - $ net]
-TRY2HACK- chgfrei "ABGVPR $ avpx: Lbhe cvat ercyl gbbx $ qhe frpbaqf"}
Oh no, it’s sewn up again, well, we’ll use the linker again, who forgot%) ... decrypted ... But also a bug ... we also sat down on this room if someone made soap on neon@balticum-tv.lt .
Thank you for solving the 9th task NeoN'a =)

Posted by: D4rkGr3y


Material published with permission of DHGROUP (http://www.dhgroup.org)