This page has been robot translated, sorry for typos if any. Original content here.

Network Abbreviations


A few days back (06/13/02), I threw some kind of cupcake on my URL http://www.try2hack.nl/level1.html , saying check your strength. I admit, each task on this site was difficult in its own way, but at the same time it's interesting. Anyone who has not passed this test, I strongly recommend to try. Well, however, those who have already tried well-being also did not reach the 10th task in any way, read this article =)
Well, let's get started. I will say at once that I will describe the solutions of the current to the main 9 tasks, I will in detail become only on precisely the complex and interesting ones.

#one.

Elementary. Here is a source for js password checking:
  <SCRIPT LANGUAGE = "JavaScript">
 function Try (passwd) {
 if (passwd == "hackerzzz") {
 alert ("Alright! On to level 2 ...");
 location.href = "levvel2.html";
 }
 else {
 alert ("The password is incorrect. Please Don't Try Again.");
 location.href = "http://www.disney.com";
 };
 }
 </ SCRIPT> 
In the third line, the entered value is compared with the word "hackerzzz", which in this case plays the role of a password.

# 2.

I admit, to my gaze, the task seemed to me difficult. I was wrong =)
Fill the flash drive for yourself, open it with a notepad (you can use a hex editor) and at the very bottom (addresses 00000440-00000490) you can see:
txtUsername ...... Try2Hack.I .... txtPassword ...... NokiaIsGood.I .......... LLeVeLL3.html
Login Try2Hack
NokiaIsGood Password
Track. LLeVeLL3.html task

# 3.

Very witty is also an interesting task.
Here is the js'a source:
  <SCRIPT language = "JavaScript">
 pwd = prompt ("Please enter the password for level 3:", "");
 if (pwd == PASSWORD) {
 alert ("Alright! \ nEntering Level 4 ...");
 location.href = CORRECTSITE;
 } else
 {
 alert ("WRONG! \ nBack to disneyland !!!");
 location.href = WRONGSITE;
 }
 PASSWORD = "AbCdE";
 CORRECTSITE = "level4.html";
 WRONGSITE = "http://www.disney.com";
 </ SCRIPT> 
It would seem that the password is “AbCdE”, but how can a blah blah work if it is determined at the end? However, for some reason, the PASSWORD variable was already defined at the time of the test; otherwise, the interpreter would give the error "PASSWORD: no definition". Additionally, only after 20 minutes. hesitate, the line rushed into the eye:
<SCRIPT src = "JavaScript"> </ SCRIPT>
I couldn’t have thought that "javascript" is a file =))) In it, as once, the true values ​​of variables also lay:
PASSWORD = "TheCorrectAnswer";
CORRECTSITE = "thelevel4.html";
WRONGSITE = "http://www.disney.com";

#four.

Picking up the applet, care attracted the lines at 00000A60-00000A80. The applet read the lines from the file * level4 * (in consequence, the dasmasorce confirmed this). Most likely it was a password file. The most interesting thing is that he continued to act with my screw. That eat, the file * level4 * was either on the internet or on my computer. And if on my, in what place? Correctly, either in cookie, or in Temp'ah. Having cleaned those and others as well, we visited an applet page. A pair of file appeared in tempos, one of which was level4 [2] .txt.
Content:
5_level_5.html
Try2hack
AppletsAreEasy
By the way, inside the applet for removal of the eye was this: "txtUsername = AlmostAHacker ..... txtPassword = ZqrE01A2d" Heathoo =)
/ * Gr33tz 2 godson * /

#five.

It is proposed to download the level5.exe file. It is necessary to enter the username and password, which are obviously stored in the file itself. Having opened it with a hex, I rushed into the eye:
http: //www.try2hack.f2s.com/login-level6.html ..... txtUsername = AlmostAHacker ..... txtPassword = ZqrE01A2d
Address: 000019F0-00001A50.
Too easy, I thought. Additionally correct, passwords did not fit. Next came the disassembler =):
Login Try2Hack
Password OutOfInspiration
Track. task level-6.html
/ * gr33tz 2 a3oX =) * /

# 6.

Very confusing task. Again, blah blah, you are invited to download a program that connects to your server to your server and also checks your entered data for validity. On this one day, the creators honestly warn: "this is not level 5, you can't decompile this exe's."
The help came SpyNet sniffer. I will not describe how we did what (a separate article is needed), I will post only the package of interest:
  0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST .. SRC .... E.
 0010: 02 40 5F 78 40 00 71 06 14 E0 D5 13 8C 02 C2 57. @ _ X @ .q ........ W
 0020: 6F F2 00 50 04 AE EC 04 FD 8C 1A 9A 11 B0 50 10 o..P .......... P.
 0030: 40 7C AE D3 00 00 48 48 54 54 50 2F 31 2E 31 20 32 @ | .... HTTP / 1.1 2
 0040: 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 53 75 6E 00 OK..Date: Sun
 0050: 2C 20 31 34 20 41 70 72 20 32 30 30 32 20 31 38, 14 Apr 2002 18
 0060: 3A 32 32 3A 35 35 20 47 4D 54 0D 0A 53 65 72 76: 22: 55 GMT..Serv
 0070: 65 72 3A 20 41 70 61 63 68 65 0D 0A 43 61 63 68 er: Apache..Cach
 0080: 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 e-Control: max-a
 0090: 67 65 3D 36 30 34 38 30 30 0D 0A 45 78 70 69 72 ge = 604800..Expir
 00A0: 65 73 3A 20 53 75 6E 2C 20 32 31 20 41 70 72 20 es: Sun, 21 Apr 
 00B0: 32 30 30 32 20 31 38 3A 32 32 3A 35 35 20 47 4D 2002 18:22:55 GM
 00C0: 54 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 69 65 64 T..Last-Modified
 00D0: 3A 20 57 65 64 2C 20 31 38 20 41 70 72 20 32 30: Wed, 18 Apr 20
 00E0: 30 31 20 31 35 3A 32 38 3A 30 30 20 47 4D 54 0D 01 15:28:00 GMT.
 00F0: 0A 45 54 61 67 3A 20 22 30 2D 63 63 2D 33 61 64 .ETag: "0-cc-3ad
 0100: 64 62 32 38 30 22 0D 0A 41 63 63 65 70 74 2D 52 db280 ".. Accept-R
 0110: 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 43 6F anges: bytes..Co
 0120: 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 32 30 ntent-Length: 20
 0130: 34 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74 4..Keep-Alive: t
 0140: 69 6D 65 6F 75 74 3D 31 35 2C 20 6D 61 78 3D 31 imeout = 15, max = 1
 0150: 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 00..Connection: 
 0160: 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 Keep-Alive..Cont
 0170: 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70 ent-Type: text / p
 0180: 6C 61 69 6E 0D 0A 0D 0A 00 28 45 4E 43 52 59 50 lain ..... (ENCRYP
 0190: 54 49 4F 4E 20 54 59 50 45 29 0D 0A 42 2A 43 2A TION TYPE) .. B * C *
 01A0: 4E 2A 2A 4E 0D 0A 0D 0A 28 55 53 45 52 4E 41 4D N ** N .... (USERNAM
 01B0: 45 29 0D 0A 61 62 61 62 61 20 61 62 62 61 62 20 E) .. ababa abbab 
 01C0: 62 61 61 61 61 20 61 61 61 62 62 0D 0A 0D 0A 28 baaaa aaabb .... (
 01D0: 50 41 53 53 57 4F 52 44 29 0D 0A 61 62 61 62 61 PASSWORD) .. ababa
 01E0: 20 61 61 61 61 61 20 61 62 62 61 61 20 61 62 62 aaaaa abbaa abb
 01F0: 62 61 20 61 61 61 61 61 20 62 61 61 61 61 20 62 ba aaaaa baaaa b
 0200: 61 61 62 61 20 62 61 62 62 61 0D 0A 0D 0A 28 50 aaba babba .... (P
 0210: 41 47 45 29 0D 0A 61 62 61 62 61 20 61 61 62 61 AGE) .. ababa aaba
 0220: 61 20 62 61 61 62 62 20 61 61 62 61 61 20 61 62 a baabb aabaa ab
 0230: 61 62 61 20 62 61 61 61 62 20 61 61 62 61 61 20 aba baaab aabaa 
 0240: 62 61 61 62 62 20 61 61 62 61 61 20 61 62 baabb aabaa ab
Slightly cropped (you try to copy it from SpyNet), but the main share (password, login, page) is visible well. It would seem that the lesson is done, but no. All data has been encrypted: - /
(USERNAME) .. ababa abbab baaaa aaabb ....
(PASSWORD) .. ababa aaaaa abbaa abbba aaaaa baaaa baaba babba ....
I took JohnTheRipper'a also started busting ... joke =)) It was Bacon’s algorithm. Fully electronic algorithm, even no encryption, but coding:
aaaaa = a
aaaab = b
aaaba = c
aaabb = d
etc.
The result of manual decoding was:
Login LORD
Paz LANPARTY
LEVELSEVEN.html page
Learn computer science, children =)
/ * gr33tz 2 D4rkGr3y;) * /

# 7.

Dan naughty pearl script level7.pl. Assignment: make him believe that:
1) the page from which we got to the site: http://www.microsoft.com/ms.htm
2) we use Microsoft Internet Explorer 6.72 browser
3) UNIX / LINUX operating system
In general, the task is easy, we just need to generate such an http request, the header of which will contain this information. I.e:
Referer: http://www.microsoft.com/ms.htm
User-agent: MSIE 6.72
But with the axis of a small problem. In the header, there is no field in which the type of operating system is explicitly indicated. It is usually pulled out from the User-agent. Hoping that the level7.pl works this way, we sketched a pearl script that the following request was sent:
GET /cgi-bin/level7.pl HTTP / 1.0
Referer: http://www.microsoft.com/ms.htm
User-Agent: MSIE 6.72 (UNIX / LINUX)
Accept: * / *

And oops =)
<A HREF="../Level-8.html"> Level 8 </A>

#eight.

Immediately attracted the name of the processing script phf.cgi. I remember a lot of hacking was on his conscience. Poryskav on the bug track, found a raft:
/cgi-bin/phf.pp?Qalias=x%0a/bin/cat%20/etc/passwd
The answer was:
BuiZe: Bu3kOx4cCMX2U
The password is encrypted with plain DES. It took JTR 15 minutes to learn pas. Which, perhaps, I will not be distributed in any way, who needs it - they will decipher it =)

#9.

On the page with the task there is an inscription:
New message for BuiZe:

Level 8 completed!
Go to irc. <*>. Org and join # <*>
There type / msg <*> begin

In other words, the battlefield is transferred to Irk. The name of the server, the channel and the bot, we have hidden for obvious (hopefully all) reasons.

#9.

consists of many mini-tasks.
We go to them on the channel # Try2Hack.
Writing "/ msg Try2Hack perfect-start"
Well, also that blah blah he will give us? and this:
-TRY2HACK- Welcome to try2hack level 9! Decode the following lines to continue:
-TRY2HACK- Wbva # gel2unpx.yriry9. Gb trg gur xrl lbh arrq gb qrpbqr gur sbyybjvat yvar:
-TRY2HACK- GTI2MJj5YJ15DxVmERy1rQIZ =
-TRY2HACK- Tbbq yhpx, naq frr lbh ba # gel2unpx.yriry9.
encrypt yourself ... weakly? Well, at that time we won't mock you in any way:
http://www.degraeve.com/cgi-bin/rot13.cgi
so we also deciphered that bla bla bla we got:
Join # try2hack.level9. To get the key you want to decode the following line:
TGV2ZWw5LW15QkIzREl1eDVM =
Good luck, and see you on # try2hack.level9.
we start to panic and we don’t know. what the ?
TGV2ZWw5LW15QkIzREl1eDVM =
hmm, from the main point of view, it seemed to me that everything was difficult, but we remembered, we are writing / Mirho scripts / echo $ decode (TGV2ZWw5LW15QkIzREl1eDVM =, m) we also get Level9-myBB3DIux5L this will be our way, we go to the channel we also get a note
-LEVEL9-XXX- Welcome, I am try2hack Level9! Decode the following line to proceed:
-LEVEL9-XXX- 010011100110100101100011011001010010000001101010011011 ...
old good-natured binary ... if you don't want to decipher manually, well
http://www.nickciske.com/binary/index.php
we get "Nice job. Now type '/ msg TRY2HACK showbug' to see the bug"
Well, we write / msg TRY2HACK showbug, it also illustrates the bug for us
-TRY2HACK- ovaq pgpe - CVAT pgpe: cvatercyl
-TRY2HACK- cebp pgpe: cvatercyl {avpx hubfg unaq qrfg xrl net} {
-TRY2HACK- frg qhe [rkce [havkgvzr] - $ net]
-TRY2HACK- chgfrei "ABGVPR $ avpx: Lbhe cvat ercyl gbbx $ qhe frpbaqf"}
Ooo there is no again, it is sewn up well, we will again use the linker above who forgot%) ... decrypted .... But here is also a bug ... we also sat on this room if someone made skinte soap at neon@balticum-tv.lt .
For the decision of the 9th task, we thank NeoN'a =)

Posted by: D4rkGr3y


Material published by permission of DHGROUP (http://www.dhgroup.org)