Wednesday, June 20, 2012

A Trusted Java Applet to run?!@$@#?

This had been on my mind for a very long time but i haven't found the time to write about it.

I find it kind of strange to see so many websites out there that "Required a Trusted Java Applet to run" in order to download videos from various video sharing websites.

Why in the world would you want to run a Java applet which you have no access to, just to download a video?

So i took some time to see what is within the .jar file. The first target for today is http://keepvid.com
It looks normal like this.






Just by browsing the website, you won't be prompted to run the Java applet. However, if you enter a video link like the one below:

You will see that your browser will prompt you on whether you want to run the Java applet.



Let's take a look at the source code of the website now and we are able to find the location of the .jar file


By visiting http://keepvid.com/java/keepvid.213.jar we are able to download the .jar file

Basically, .jar is a container of a java compiled application. Now let's download a Java decompiler to decompile this shit. A very friendly and easy to use Java Decompiler is JD-GUI, http://java.decompiler.free.fr/

Using that, you are able to see the original source code and inspect whether KeepVid's Java applet is indeed non-malicious and safe to use.


As we can see from the image above, everything seems good. If you are really paranoid, just throw it to VirusTotal.com to let all the Anti-Virus analyse it. xDDD

Well, time to head back to solving challenges.


Cheers
0x4A61636F62



Sunday, June 17, 2012

Solution for Net-Force.nl : Level 107 - Having Fun?!? :-)

This is the link to the original challenge: http://www.net-force.nl/challenge/level107/ 

Quest:
This website is protected by HTML PROTECT 3
Enter the password like this "username:password"

View Source:
<script type="text/javascript">
d="=tdsjqu mbohvbhf> KbwbTdsjqu ?=!..  gvodujpo tipxmphjo(*|  epdvnfou/xsjufmo('=cs?=cs? +#'*< J#ubcmf xjeui> 457  cpsefs> 3  dfmmtqbdjoh> 1 3#qbee 3#bmjho> dfoufs  ifjhiu> 223  :$ :$s?=ue O#52  chdpmps> #7273:F `# `#ejw >$?=gpou  d#GGGGGG  gbdf> Dpvsjfs Ofx-  0#- npop ?=c ^#tj{f> 8 ?Vtfs M i&=0 =#?=0c? .#ejw `$ `$0ue?=0 I%s H# h%e i 5& d%GGCEPP d% \\#gpsn obnf> qbttxpse 6#  poTvcnju> joqvu(*< ? 8&mfgu z# z#UBCMF dfmmTqbdjoh>1 1#Qbee 1#xjeui> 211%  cpsefs>1?=UCPEZ z# z#JOQVU uzqf> ijeefo  ,%vtfs -#  wbmvf> efgbvmu ?=c L& p$S?=UE U$21 if Z&44?&octq<=0UE `# `# \\#8 \\#=GPOU gbdf> Wfsebob- Bsjbm- Ifmwfujdb- tbot.tfsjg  tj{f>2?=C 4$ 4$ w# v# W#3?Qbttxpse=0 F#?=0C? .#UE L% n$ 1$ u&dmbtt>joqvu uzqf>q /$ ?$1 obn 9# r# r# L$0 z&0UCPEZ +#BCMF T#o('&octq< )# /# 5#= g$ Tvcnju   `$ 2#wbmvf> Mphjo Opx  @$ q$ejw?=0gpsn?=0ue (#s (#bcmf Y#~<  gvodujpo  F$(*  |qe> s# %& j# 0#/ O$/upVqqfsDbtf( r#vs [#n/vtfs 6% [#  jg ((vs!>vs*   }}(qe>>voftdbqf( %36%41%41 ,#3%46 ,#4%43 *** | ?$dppljf> IUNMQ K$VtfsJE> ,vs< L# L# +#X L#qe< .%epl(*<~fmtf|bmfsu(  p#bddpvou;  v#,   fssps ! * )$pqfo( 3#mpdb {&/isfg> iuuq;00xxx/gffunbo/dpn <~<~<  gvod P# ofn(*|sfuvso usvf~<xjoepx/po >$> G#<wbs u85<em >  =$bzfst<eb 8#bmm<hf 5#hfuFmf .#CzJe<xt >  /$tjefcbs )$nth>   .#c:8< m$ ?& | n% 3#xsjuf(voftdbqf( %4Diunm%4F -#fbe -#ujumf%4FOfu%31Gpsdf%4D%3G <# 1# T#cpez -#tdsjq Y#uzqf%4E%33ufyu%3Gkbwb A#3%31mbohvbh H#KbwbT A#tsd <#tib2%3Fkt ;# C$ k# ;$ ;$ ;$ ;$ #$2%3E%3E%31Tubs y#Ijejoh ($if :# U#1E%1B )#gvodujpo%31wbmjebuf%39%3:%31%8C N#31%31jg +#9%39epdvnfou%3FMphjoGpsn%3Fm /#%3Fwbmvf 3#fohui Y#4F%311 z#37%37 o# l#3Fqbttxpse o# o# o$ )# S$4E )$ r$4 d# K$ c# i$ f# `# v& _$6Gtib2%4EdbmdTIB2%39 Z$: U$ U$ Y# <# X# ^#hppe%6G $&%332e42e:5g41e51eg8:62616e2145f2f:34e13fd5:%33 E% x#%6G 8&%333e8b45d:fg9fgb3dgeg5c9:286g8fefd2de1eeeb w# u$31jg +#9 $& b%%4E 8%3: M#7%37 V# 7& R# 6& T#8 q& G$ ,#bmfsu P$8Xfmm%31Epof%32%38 l# 0% i#8E%31fmtf @$ T# )#epdvnfou%3Fmpdbujpo o&8iuuq%4B%3G%3Gxxx%3Fgffunbo%3Fdpn ]$ &$ W$ G# l$ W# r# u$ u$ u$ u$ o$ >$ 3% G#sfuvso%31gb 4%4 z& R# \\$%31Tupq%31Ijejoh%31tdsjqu ,$E%3E )#4F%4D%3G ># 2#ubcm =&xjeui \\%3311%33%31ifjhiu 8#: 7#bmjh *&3dfoufs :#cpsefs ;# M# &$s +#e%31dmbtt E#uyu G# i# /#gpsn%31obnf L#MphjoG 9# F$dujp G$ .$ 1% L$ v$ :# [%2 [%6 z$ z$ Z$%4B ^&ue R# O%joqvu%31uzq D%uf B# X%m {# 8#tj{ 8# _& 6$ .# p$ x$ I$Qbttxpse {$ U# {$q j# %% ;# (% (% .#bcmf :$%33tvcnj :&wbmv :#T :#poDmjdl <#sfuvso P#jebuf%39%3:%4C R$gpsn 0#dfouf X$ n$ n$%3Gcpez 0#iunm 0#1E%1B **< epdvnfou/dmptf(*<  ~<  xjoepx/pqfo(voftdbqf( %79%85%85%81%4B%3G%3G%88%88 )#3F%7E%7:%7F )# P#84%76%83%87 ,# P#F /#5 *- Vosfhjtufs - xjui>361-ifjhiu>291 *<tipxmphjo(*<=0TDSJQU? ";
e=unescape("%25%36%43%25%33%44%25%32%37%25%35%43%25%33%30%25%30%31%25%30%32%25%30%33%25%30%34%25%30%35%25%30%36%25%30%37%25%30%38%25%35%43%25%37%34%25%35%43%25%36%45%25%30%42%25%30%43%25%35%43%25%37%32%25%30%45%25%30%46%25%31%30%25%31%31%25%31%32%25%31%33%25%31%34%25%31%35%25%31%36%25%31%37%25%31%38%25%31%39%25%31%41%25%31%42%25%31%43%25%31%44%25%31%45%25%31%46%25%32%30%25%32%31%25%32%32%25%32%33%25%32%34%25%32%35%25%32%36%25%35%43%25%32%37%25%32%38%25%32%39%25%32%41%25%32%42%25%32%43%25%32%44%25%32%45%25%32%46%25%33%30%25%33%31%25%33%32%25%33%33%25%33%34%25%33%35%25%33%36%25%33%37%25%33%38%25%33%39%25%33%41%25%33%42%25%33%43%25%33%44%25%33%45%25%33%46%25%34%30%25%34%31%25%34%32%25%34%33%25%34%34%25%34%35%25%34%36%25%34%37%25%34%38%25%34%39%25%34%41%25%34%42%25%34%43%25%34%44%25%34%45%25%34%46%25%35%30%25%35%31%25%35%32%25%35%33%25%35%34%25%35%35%25%35%36%25%35%37%25%35%38%25%35%39%25%35%41%25%35%42%25%35%43%25%33%31%25%33%33%25%33%34%25%35%44%25%35%45%25%35%46%25%36%30%25%36%31%25%36%32%25%36%33%25%36%34%25%36%35%25%36%36%25%36%37%25%36%38%25%36%39%25%36%41%25%36%42%25%36%43%25%36%44%25%36%45%25%36%46%25%37%30%25%37%31%25%37%32%25%37%33%25%37%34%25%37%35%25%37%36%25%37%37%25%37%38%25%37%39%25%37%41%25%37%42%25%37%43%25%37%44%25%37%45%25%37%46%25%32%37%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%32%37%25%32%37%25%33%42%25%30%44%25%30%41%25%36%36%25%36%46%25%37%32%25%32%30%25%32%38%25%36%39%25%33%44%25%33%30%25%33%42%25%36%39%25%33%43%25%36%34%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%33%42%25%36%39%25%32%42%25%32%42%25%32%39%25%37%42%25%30%44%25%30%41%25%36%31%25%33%44%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%39%25%32%39%25%32%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%33%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%32%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%30%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%33%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%33%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%34%25%32%39%25%32%30%25%36%31%25%33%44%25%33%33%25%33%34%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%43%25%33%44%25%33%33%25%33%31%25%32%30%25%32%36%25%32%30%25%36%31%25%33%45%25%33%44%25%33%31%25%33%34%25%32%39%25%37%42%25%30%44%25%30%41%25%36%46%25%36%36%25%36%36%25%33%44%25%37%33%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%32%44%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%36%25%32%42%25%33%39%25%33%30%25%32%41%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%35%25%32%39%25%32%39%25%32%44%25%33%31%25%33%42%25%30%44%25%30%41%25%36%43%25%37%30%25%33%44%25%36%46%25%36%36%25%36%36%25%32%42%25%36%31%25%32%44%25%33%31%25%33%34%25%32%42%25%33%34%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%37%33%25%32%42%25%37%33%25%32%45%25%37%33%25%37%35%25%36%32%25%37%33%25%37%34%25%37%32%25%36%39%25%36%45%25%36%37%25%32%38%25%36%46%25%36%36%25%36%36%25%32%43%25%36%43%25%37%30%25%32%39%25%33%42%25%37%44%25%30%44%25%30%41%25%36%35%25%36%43%25%37%33%25%36%35%25%32%30%25%37%42%25%32%30%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%45%25%33%44%25%33%34%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%36%31%25%32%44%25%33%31%25%33%42%25%32%30%25%37%33%25%33%44%25%37%33%25%32%42%25%36%43%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%31%25%32%39%25%33%42%25%37%44%25%37%44%25%33%42%25%36%34%25%36%46%25%36%33%25%37%35%25%36%44%25%36%35%25%36%45%25%37%34%25%32%45%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%32%38%25%37%33%25%32%39%25%33%42%25%30%44%25%30%41");
e=unescape(e);eval(e);
</script>
 
Variable e looks suspicious lets alert its content out and we got this
 
l='\0        \t\n  \r                   !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\134]^_`abcdefghijklmnopqrstuvwxyz{|}~';
s='';
for (i=0;i<d.length;i++){
a=l.indexOf(d.charAt(i));
if (a==1) a=9;
if (a==2) a=10;
if (a==3) a=13;
if (a==4) a=34;
if (a<=31 & a>=14){
off=s.length-(l.indexOf(d.charAt(++i))-36+90*(l.indexOf(d.charAt(++i))-35))-1;
lp=off+a-14+4;
s=s+s.substring(off,lp);}
else { if (a>=41) a=a-1; s=s+l.charAt(a);}};document.write(s);
 
what is variable s that this script is trying to write? lets alert it out.
 
<script language="JavaScript"><!--
function showlogin(){
document.writeln('<br><br><br><br>');
document.writeln('<table width="346" border="2" cellspacing="0" cellpadding="0" align="center" height="112">');
document.writeln('<tr><td height="41" bgcolor="#61629E">');
document.writeln('<div align="center"><font color="#FFFFFF" face="Courier New, Courier, mono"><b><font size="7">User Login</font></b></font></div>');
document.writeln('</td></tr><tr>');

document.writeln('<td hight="111" bgcolor="#FFBDOO">')
document.writeln('<form name="passwordform" onSubmit="input();"><div align="left">');
document.writeln('<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0><TBODY>');
document.writeln('<INPUT type="hidden" name="username" value="default"><br>');
document.writeln('<TR><TD width=10 height=33>&nbsp;</TD>');
document.writeln('<TD width=70 height=33><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1><B>');
document.writeln('<FONT face=Verdana size=2>Password</FONT></B></FONT></TD><TD width=100 height=33>');
document.writeln('<INPUT class=input type=password size=20 name=password >');
document.writeln('</TD></TR></TBODY></TABLE>');
document.writeln('&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="Submit"  name="Submit" value="Login Now">');
document.writeln('</div></form></td></tr></table>');
};

function input()
{
pd=document.passwordform.password.value.toUpperCase();
ur=document.passwordform.username.value.toUpperCase();
if ((ur!=ur) ||(pd==unescape("%25%30%30%25%32%35%25%33%32"))) {
   document.cookie="HTMLPasswordUserID="+ur;
   document.cookie="HTMLPasswordPassWD="+pd;
   passwdok();
}
else{
   alert("Useraccount: "+ur+ " error !");
   document.open();
   document.location.href="http://www.feetman.com";
}
;};
function nem(){return true};
window.onerror = nem;
var t74;
dl = document.layers;
da = document.all;
ge = document.getElementById;
ws = window.sidebar;
var msg="";
var b97;
 
function passwdok() {
document.open();
document.write(unescape("%3Chtml%3E%3Chead%3E%3Ctitle%3ENet%20Force%3C%2Ftitle%3E%3C%2Fhead%3E%3Cbody%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20language%3D%22JavaScript%22%20src%3D%22sha1%2Ejs%22%3E%3C%2Fscript%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20language%3D%22JavaScript%22%3E%3C%21%2D%2D%20Start%20Hiding%20the%20Script%0D%0A%0D%0Afunction%20validate%28%29%20%7B%0D%0A%20%20if%20%28%28document%2ELoginForm%2Elogin%2Evalue%2Elength%20%3E%200%29%20%26%26%20%28document%2ELoginForm%2Epassword%2Evalue%2Elength%20%3E%200%29%29%20%7B%0D%0A%20%20%20%20login%3Ddocument%2ELoginForm%2Elogin%2Evalue%3B%0D%0A%20%20%20%20pass%3Ddocument%2ELoginForm%2Epassword%2Evalue%3B%20%20%20%20%0D%0A%0D%0A%20%20%20%20login%5Fsha1%3DcalcSHA1%28login%29%3B%0D%0A%20%20%20%20pass%5Fsha1%3DcalcSHA1%28pass%29%3B%0D%0A%0D%0A%20%20%20%20good%5Flogin%3D%221d31d94f30d40df7951505d1034e1e923d02ec49%22%3B%20%0D%0A%20%20%20%20good%5Fpass%3D%222d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda%22%3B%0D%0A%0D%0A%20%20%20%20if%20%28%28login%5Fsha1%3D%3Dgood%5Flogin%29%20%26%26%20%28pass%5Fsha1%3D%3Dgood%5Fpass%29%29%20%7B%0D%0A%20%0D%0A%20%20%20%20%20%20%20alert%28%27Well%20Done%21%27%29%3B%0D%0A%0D%0A%20%20%20%20%20%20%20%7D%20else%20%7B%0D%0A%0D%0A%20%20%20%20%20%20%20document%2Elocation%3D%27http%3A%2F%2Fwww%2Efeetman%2Ecom%27%0D%0A%0D%0A%20%20%20%20%20%20%20%7D%0D%0A%0D%0A%20%20%7D%20else%20%7B%0D%0A%20%20%20%0D%0A%20%20%20%20%20%20%20document%2Elocation%3D%27http%3A%2F%2Fwww%2Efeetman%2Ecom%27%0D%0A%20%20%20%20%20%20%20%20%0D%0A%20%20%20%20%20%20%20%7D%0D%0A%0D%0A%20return%20false%3B%0D%0A%0D%0A%7D%0D%0A%0D%0A%2F%2F%20Stop%20Hiding%20script%20%2D%2D%2D%3E%3C%2Fscript%3E%3Ctable%20width%3D%22200%22%20height%3D%2290%22%20align%3D%22center%22%20border%3D%220%22%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3E%3Ccenter%3E%3Cform%20name%3D%22LoginForm%22%20action%3D%22%22%3E%3Ctable%20border%3D%220%22%20align%3D%22center%22%20width%3D%22100%25%22%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3ELogin%3A%3C%2Ftd%3E%3Ctd%20class%3D%22txt%22%3E%3Cinput%20type%3D%22text%22%20name%3D%22login%22%20size%3D%2220%22%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3EPassword%3A%3C%2Ftd%3E%3Ctd%20class%3D%22txt%22%3E%3Cinput%20type%3D%22password%22%20name%3D%22password%22%20size%3D%2220%22%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput%20type%3D%22submit%22%20value%3D%22Submit%22%20onClick%3D%22return%20validate%28%29%3B%22%3E%3C%2Fform%3E%3C%2Fcenter%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3C%2Fbody%3E%3C%2Fhtml%3E%0D%0A")); 
document.close();
};

window.open(unescape("%68%74%74%70%3A%2F%2F%77%77%77%2E%6D%69%6E%69%68%74%74%70%73%65%72%76%65%72%2E%6E%65%74"),"Unregister","with=250,height=180");showlogin();</SCRIPT>
 
what is passwdok() trying to do? what is it trying to write? lets alert it out.
 
<html><head><title>Net Force</title></head><body><script type="text/javascript" language="JavaScript" src="sha1.js"></script><script type="text/javascript" language="JavaScript"><!-- Start Hiding the Script

function validate() {
  if ((document.LoginForm.login.value.length > 0) && (document.LoginForm.password.value.length > 0)) {
    login=document.LoginForm.login.value;
    pass=document.LoginForm.password.value;    
    login_sha1=calcSHA1(login);
    pass_sha1=calcSHA1(pass);
    good_login="1d31d94f30d40df7951505d1034e1e923d02ec49"; 
    good_pass="2d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda";

    if ((login_sha1==good_login) && (pass_sha1==good_pass)) {
       alert('Well Done!');
       } else {
       document.location='http://www.feetman.com'
       }
  } else {
       document.location='http://www.feetman.com'
  }
 return false;
}
// Stop Hiding script ---></script><table width="200" height="90" align="center" border="0"><tr><td class="txt"><center><form name="LoginForm" action=""><table border="0" align="center" width="100%"><tr><td class="txt">Login:</td><td class="txt"><input type="text" name="login" size="20"></td></tr><tr><td class="txt">Password:</td><td class="txt"><input type="password" name="password" size="20"></td></tr></table><input type="submit" value="Submit" onClick="return validate();"></form></center></td></tr></table></body></html>
 
ok seems like we are near. we can see the sha1 login user id and password... 
so lets visit http://www.md5decrypter.co.uk/sha1-decrypt.aspx to decrypt the password
 



Solution for Net-Force.nl : Level 106 - HTML Guardian

This is the link to the original challenge: http://www.net-force.nl/challenge/level106/  

Page view source on challenge 106 reveals the following javascript

<script type="text/javascript">
var gy72=6928;
fw='<TL<ED<citdcmn.rt(<al it=10`bre=0>t>t goo=#060 lg  cne`<otsye=fn-aiy edn,
Ail evtc,sn-ei;fn-ie 2x oo:#FFF akrudclr 060`Tesuc oeo hspg spoetdb b<otsye=clr 
FC0`HM urin/ot<b b>h liaeto opoetyu TLcd,iae,Jv plt,Jvsrps ik,ke e otn itr wyadmc 
oe. /ot<r< tl `etdcrto:nn;clr FC0`he=ht:/w.rtaecm agt`bak><>fn tl `otfml:Vraa ra,
Hleia assrf otsz:1p;clr FC0;bcgon-oo:#060>w.rtaecm/ot<b<a<t>/r<tbe";l=dcmn.aesd 
ouetalg  ouetgtlmnBI;s=wno.iea;a s=`wno.pnnl;idwaetnl;ucinnm)rtr re;
idwoerr=nmvrp3fnto m)i(a{ouetodasatfnto )rtr as}fr(  ;<dcmn.mgslnt;+)z=dcmn.mgsi;
.alrIg=`o}}i(a{ucincE)(s)rtr as;;ucinc({ouetocneteu=cEstieu(c("20}c(;;ucincSe 
i(l|s i ewih=|ewih=){mg;eunfle};f(l{ouetcpuevnsEetMUEON;ouetomueoncSes{ouetomuepcS;
ouetocneteunwFnto(rtr as";ucinn9)wno.tts=""stieu(n9),0;;s(;ucinn({fd)
dcmn.neettr=ucin({eunfle;eTmot"i),0)}n(;ucinn({fd|w)vrt ouetgteeto(;ft!")
i(wno.id{ouetwie"ro..)dcmn.rt(< HE=aacithsoyg() .obc<A";es{ft!""{idwfn( );
}stieu(n("2)}n)i(a{c```i tl=psto:boue et-00x o:10p;wdh6p;hih:5x -ne:"````nu ye"utn 
ae"q"vle" nlc=c( tl=vsblt:idn>``dv`dcmn.rt(c;ucincd)cibadaaceraa);ucince)xqcik)
stieu(ce),0);eTmot"c("30)<srp>syemda`rn`bd dslynn}/tl>/ED<oyoLa  m)<R<ETRTi est 
spoetdb TLGada./ETR<R<R<ETRTyt eoe h rgnlst!/ETR<-Tepswr s 0dr43`-<BD>/TLHM>HA>srp>
ouetwie"tbewdh`0% odr``<r<dbclr`060`ain=`etr>fn tl `otfml:Vraa ra,Hleia assrf 
otsz:1p;clr FFF;bcgon-oo:#060>h orecd fti aei rtce y<>fn tl `oo:#FC0>TLGada<fn>/>
<rTeutmt olt rtc orHM oe mgs aaapes aacit,lns epwbcnetflesaa n uhmr..<fn>b>asye=
tx-eoain oe oo:#FC0 rf`tp/wwpowr.o`tre=_ln` b<otsye=fn-aiy edn,Ail evtc,sn-ei;
fn-ie 2x oo:#FC0 akrudclr 060`wwPoWr.o<fn>/>/>/d<t>/al>)d  ouetlyr;a=dcmn.l;
e=dcmn.eEeetydw  idwsdbrvrmg`;idwoe=ulwno.lr=ulfnto e({euntu}wno.nro  e;a 5;ucini(
{fd)dcmn.nrgtr=ucin({eunfle;o i=0i ouetiae.eghi+{  ouetiae()zgleym  n`};fd)
fnto I({mg;eunfle}fnto c)dcmn.notxmn  I;eTmot"c),0);c)}fnto N(){fd|w){
f(.hc=2|.hc=3 (s)rtr as}}i d)dcmn.atrEet(vn.OSDW)dcmn.nosdw=N}ledcmn.nosu=N}
dcmn.notxmn=e ucin"eunfle)fnto s({idwsau  .;eTmot"s("1)}n9)fnto i)i(a{
ouetoslcsatfnto )rtr as}stieu(n("20};i)fnto n)i(l|s{a =dcmn.eSlcin)i( ="{f!idwfn)
dcmn.rt(Err.";ouetwie"A RFjvsrp:itr.o0> G ak/>)}lei( = )wno.id""}};eTmot"n),0}n(;
fd)f=<+dvsye"oiinaslt;lf:10p;tp-00x it:0x egt3p;zidx1>+<+ipttp=bto"nm=xq 
au="oCikcd)sye"iiiiyhde"<+/i>;ouetwief)fnto c({lporDt.laDt(}fnto c({q.lc(;eTmot"
c("30}stieu(ce),00}/cit<tl ei=pit>oy{ipa:oe<sye<HA>bd nod=i(>B>CNE>hswbiei rtce 
yHM urin<CNE>B>B>CNE>r orcvrteoiia ie<CNE>!-h asodi:`n3Wtr->/OY<HM>';
</script>
<script>
   eval(unescape('%6B%3D%75%6E%65%73%63%61%70%65%28%22%25%30%44%25%30%41%22%29%3B%69%31%3D%20%6B%6F%68%28%66%77%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%69%31%29%3B%66%75%6E%63%74%69%6F%6E%20%6B%6F%68%28%73%29%20%7B%76%61%72%20%75%6E%3D%22%22%3B%6C%3D%73%2E%6C%65%6E%67%74%68%3B%6F%68%3D%4D%61%74%68%2E%72%6F%75%6E%64%28%6C%2F%32%29%3B%66%6F%72%28%69%3D%30%3B%69%3C%3D%6F%68%3B%69%2B%2B%29%7B%61%3D%73%2E%63%68%61%72%41%74%28%69%29%3B%62%3D%73%2E%63%68%61%72%41%74%28%69%2B%6F%68%29%3B%63%3D%61%2B%62%3B%75%6E%3D%75%6E%2B%63%3B%7D%3B%4D%3D%75%6E%2E%73%75%62%73%74%72%28%30%2C%6C%29%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%2F%60%2F%67%2C%22%27%22%29%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%2F%40%40%2F%67%2C%22%5C%5C%22%29%3B%66%20%3D%20%2F%71%67%2F%67%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%66%2C%6B%29%3B%72%65%74%75%72%6E%20%4D%3B%7D%3B'));
</script>
 
the eval looks interesting... lets try to alert the contents out. 
 

<script>
   alert(unescape('%6B%3D%75%6E%65%73%63%61%70%65%28%22%25%30%44%25%30%41%22%29%3B%69%31%3D%20%6B%6F%68%28%66%77%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%69%31%29%3B%66%75%6E%63%74%69%6F%6E%20%6B%6F%68%28%73%29%20%7B%76%61%72%20%75%6E%3D%22%22%3B%6C%3D%73%2E%6C%65%6E%67%74%68%3B%6F%68%3D%4D%61%74%68%2E%72%6F%75%6E%64%28%6C%2F%32%29%3B%66%6F%72%28%69%3D%30%3B%69%3C%3D%6F%68%3B%69%2B%2B%29%7B%61%3D%73%2E%63%68%61%72%41%74%28%69%29%3B%62%3D%73%2E%63%68%61%72%41%74%28%69%2B%6F%68%29%3B%63%3D%61%2B%62%3B%75%6E%3D%75%6E%2B%63%3B%7D%3B%4D%3D%75%6E%2E%73%75%62%73%74%72%28%30%2C%6C%29%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%2F%60%2F%67%2C%22%27%22%29%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%2F%40%40%2F%67%2C%22%5C%5C%22%29%3B%66%20%3D%20%2F%71%67%2F%67%3B%4D%3D%4D%2E%72%65%70%6C%61%63%65%28%66%2C%6B%29%3B%72%65%74%75%72%6E%20%4D%3B%7D%3B'));
</script>
 
we got this as output
 
k=unescape("%0D%0A");
i1= koh(fw);
document.write(i1);
function koh(s) {
   var un="";
   l=s.length;
   oh=Math.round(l/2);
   for(i=0;i<=oh;i++){
      a=s.charAt(i);
      b=s.charAt(i+oh);
      c=a+b;
      un=un+c;
   };
   M=un.substr(0,l);
   M=M.replace(/`/g,"'");
   M=M.replace(/@@/g,"\\");
   f = /qg/g;
   M=M.replace(f,k);
   return M;
};
 
function koh() seems to play a part in decoding the contents lets put an alert on var M
before it returns. And we got this =)
 
<HTML>
<HEAD>
<script>
document.write("<table width='100%' border='0'>
<tr>
<td bgcolor='#006600' align = 'center'>
<font style ='font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: #FFFFFF; background-color: #006600'>
The source code of this page is protected by <b><font style ='color: #FFCC00'>HTML Guardian</font></b> 
<br>The ultimate tool to protect your HTML code, images, Java applets, Javascripts, links, keep web content filters away and much more... </font>
<br>
<a style ='text-decoration: none; color: #FFCC00' href='http://www.protware.com' target='_blank'> 
<b><font style ='font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: #FFCC00; background-color: #006600'>www.ProtWare.com</font>
</b></a></td></tr></table>");dl = document.layers;da = document.all;ge = document.getElementById;ws = window.sidebar;var msg='';window.open=null;window.alert=null;
function nem(){return true};window.onerror = nem;var p53;function im(){if(da){document.ondragstart=function (){return false};for (i = 0;i< document.images.length;i++){z = document.images(i);z.galleryImg = 'no'}}};
if(da){function cIE(){(msg);return false;};function cc(){document.oncontextmenu = cIE;setTimeout("cc()",200)};cc();};function cNS(e) {if(dl||ws) {
if (e.which==2||e.which==3) {(msg);return false}}};if (dl){document.captureEvents(Event.MOUSEDOWN);document.onmousedown=cNS}else{document.onmouseup=cNS};
document.oncontextmenu=new Function("return false");function ns9(){window.status = ".";setTimeout("ns9()",10);};ns9();function ni(){
if(da){document.onselectstart=function (){return false};
setTimeout("ni()",200)}};ni();function nn(){if(dl||ws){var t= document.getSelection();if(t !=""){if(!window.find){document.write("Error...");
document.write("<A  HREF=javascript:history.go(0)>  .Go back</A>");
}else{if(t !=" "){window.find(" ")};}};setTimeout("nn()",20)}}nn();if(da){fc='<'+'div style="position:absolute; left:-1000px; top:-1000px; width:60px; height:35px; z-index:1">'+'<'+'input type="button" name="xqq" value="" onClick=ccd() style="visibility:hidden"><'+'/div>';
document.write(fc);function ccd(){clipboardData.clearData()};function cce(){xqq.click();setTimeout("cce()",300)};setTimeout("cce()",3000)}
</script>
<style media='print'>body {display:none}</style></HEAD><body onLoad = im()><BR><CENTER>This website is protected by HTML Guardian.</CENTER><BR><BR><CENTER>Try to recover the original site!</CENTER>
<!--The password is: '0nd3rW4t3r'--></BODY></HTML> 

 
We got the password =)
 


By
3lucidat0r

Thursday, June 14, 2012

Solution for Net-Force.nl : Level 105 - Micro$oft crap...

Since the last one wasn't too hard, let's try solving Level 105 from Net-Force.nl
The link to the original challenge: http://www.net-force.nl/challenge/level105/

After accessing the above link, the only hints given to us are: 
Well this won't be so hard, just enter the right password!
You'll need Internet Explorer for this one, sorry :)
Again, let's take a quick view of the page's source code and we are able to see the following source code.
<script type="text/javascript">
<!--
    var Words ="%3Ccenter%3E%0D%0A%0D%0A%3Cp%3EWell%20this%20won%27t%20be%20so%20hard,%20just%20enter%20the%20right%20password!%3C/p%3E%0D%0A%0D%0A%3Cscript%20language%3D%22JScript.Encode%22%3E%23@%7E%5ElAIAAA%3D%3D@%23@%26@%21Z%20O@%23@%26dJzCMeUYCDDP3U1WN%7FMeC@%23@%26i@%23@%26d6E%09mOkGU%2CYn/DnDv%23%60@%23@%26d%5CC.%2CwC/k%7E%7BP%5BKm%21%3A+%09YcWWM%3A%20wm/dA9R%5CmsE%7Fi@%23@%267-lMP1DzwO2m/dP%7B%7EJjfVKqN%21sC0CKVrI@%23@%2677lMPl9NM%7E%27%2CBdW%5EEOrKxRa4wQwlkdAN%7BBp@%23@%26d-CMPsW1CYb+%7Ex%2CVW%5ECDkGxc4M+Wp@%23@%26d%5CmD%2CGEDPxPEBI@%23@%26d@%23@%267%5CmDPaCd/yP%7BP%5EDz2DwC/k%20/%214dOMkxLc8%21SPyMl_q*_1DXaYaC/kRdE%28/O.bxov+ev%20_ybSP2_+%23Qm.zaY2lkdRkE8dDDkULv%26Q*%20qBP0*_1DXaYaC/kRdE%28/O.vG%7E8b_1DXaO2lk/c/%3B4dOM%60%7F%7E8bialdd%7BVW%5ECDknRk%3B%28/OM%60%5EWmmYbnRbx%5B+XrWcEgB*QF*il9%5B.%27mN9D%20/%3B8kY.k%09L%60Z%7E%7EC9ND%20r%09Nn6%7DWvB_E%233F%233B%28sl%28VC%27Ei@%23@%26i0WMck%7B%21ib@%212lk/cSnxIr3_b%09@%23@%26dikWcal/d%201tCDzOvkb%2C%27%7BPwm/k+R1tCDzYcr*%23%09@%23@%26didNK%5E%3B%3A%7FxDRADrO%7F%602lkdR1tC.zY%60rb*i@%23@%26i7%29@%23@%26i8@%23@%26d%5EW1CYbWUP%7BPC%5B9D_aC/ki@%23@%267N@%23@%26O%20@*@%23@%26ob4AAA%3D%3D%5E%23%7E@%3C/script%3E%0D%0A%0D%0A%3Cform%20name%3D%22form%22%3E%0D%0APassword%3A%20%3Cinput%20type%3D%22password%22%20name%3D%22passwd%22%3E%20%3Cinput%20type%3D%22button%22%20value%3D%22OK%22%20onClick%3D%22tester%28%29%22%3E%0D%0A%3C/form%3E%0D%0A%0D%0A%3C/center%3E";
    function SetNewWords()
    {
             var NewWords;
             NewWords = unescape(Words);
             document.write(NewWords);
    }
    SetNewWords();
// -->
</script>
Hmmm...seems like an encoded string.
Maybe let's try saving this entire page and replacing document.write with alert
You should be able to see the following code snippet in a pop-up once you run it with your browser.

function tester(){
        var pass = document.form.passwd.value;
        var cryptpass = "VDkPWd0lakHPl";
        var addr = 'solution.php?passwd=';
        var locatie = location.href;
        var out = '';
       
        var pass2 = cryptpass.substring(10, 2*5+1)+cryptpass.substring(2*(2+2), 3+6)+cryptpass.substring(3+5-1, 8)+cryptpass.substr(7,1)+cryptpass.substr(6,1);pass=locatie.substr(locatie.indexOf('?')+1);addr=addr.substring(0, addr.indexOf('?')+1)+'blabla=';
       
        for(i=0;i<pass.Len;i++){
            if(pass.charAt(i) == pass2.charAt(i)){
                document.write(pass.charAt(i));
            }
        }
        location = addr+pass;
    }
From the above code snippet, we can see that it is trying to do a compare with our input value against pass2.
But what is the value of pass2? To make things simpler for everyone, let's replace document.form.passwd.value with "hello" and let's place this statement
alert(pass2);
just after this code snippet
addr=addr.substring(0, addr.indexOf('?')+1)+'blabla=';
Now's let's call tester function and try running the code again.
Immediately after running the code in our browser, we should be able to see the following pop-up.



Great, now we know we should be redirected to the following link if we got the password right.

http://net-force.nl/challenge/level105/solution.php?blabla=Hall0



 Accessing that page, we will be presented with the following sentence.
The password is: hack0r

Awesome we got the key, hack0r, to this challenge.

Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 104 - Escape now!!!

Today, the solution will be on solving Level 104 from Net-Force.nl
The link to the original challenge: http://www.net-force.nl/challenge/level104/

After accessing the above link, the only hints given to us are:
Yet another javascript protection....
Again, let's take a quick view of the page's source code and we are able to see the following source code.
<script type="text/javascript">
<!--
document.write(unescape("%3Cform%3E%0D%0A%3Cp%3EUsername%3A%20%3Cbr%3E%0D%0A%20%20%3Cinput%20type%3D%22text%22%20name%3D%22text2%22%3E%0D%0A%3C/p%3E%0D%0A%3Cp%3EPassword%3A%20%3Cbr%3E%0D%0A%3Cinput%20type%3D%22password%22%20name%3D%22text1%22%3E%3Cbr%3E%0D%0A%20%20%3Cinput%20type%3D%22button%22%20value%3D%22Check%21%22%20name%3D%22Submit%22%20onclick%3Djavascript%3Avalidate%28text2.value%2C%22user%22%2Ctext1.value%2C%22member%22%29%20%3E%0D%0A%3C/p%3E%0D%0A%0D%0A%3C/form%3E%0D%0A%3Cscript%20language%20%3D%20%22javascript%22%3E%0D%0A%0D%0Afunction%20validate%28text1%2Ctext2%2Ctext3%2Ctext4%29%0D%0A%7B%0D%0A%20if%20%28text1%3D%3Dtext2%20%26%26%20text3%3D%3Dtext4%29%0D%0A%20alert%28%22Well%20done%20use%20this%20password%20on%20the%20challenge%20page%22%29%3B%0D%0A%20else%20%0D%0A%20%7B%0D%0A%20%20alert%28%22Wrong...%21%22%29%3B%0D%0A%20%7D%0D%0A%7D%0D%0A%0D%0A%3C/script%3E"));
//-->
</script>
Hmmm...seems like an encoded string.
Maybe let's try saving this entire page and replacing document.write with alert
You should be able to see the following image once you run it with your browser.


As we can see from this decoded source code that it's comparing user's input for username and password with "user" & "member" respectively.

Using member as the key to this challenge, we solved this easily. :D

Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 103 - Is this safe...?!?

We are trying to present our writeups in the best possible way for everyone to understand.
Today, the solution will be on solving Level 103 from Net-Force.nl
The link to the original challenge: http://www.net-force.nl/challenge/level103/

After accessing the above link, the only hints given to us are:
Login using the form below, or bypass it.
Again, let's take a quick view of the page's source code and we are able to see the following source code.

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl">
    <head>
    <title>:: Net-Force Challenge - 103 ::</title>
    <link href="../../css/challenge.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div id="top">
    <img src="../../images/challenge_logo.png" alt="" />
    </div>
    <div id="challenge">
    <h1>Is this safe...?!?</h1>
    <p>
    Login using the form below, or bypass it.<br /><br />
    <!-- soulslayer:2aBl6E94IuUfo or guess it....-->
    <script type="text/javascript">
    <!--
    // /\
    // / \
    // | | |
    // \ \/
    // / | |
    // \ /
    // \ / oulslayer

    function go() {
        var user = document.form.user.value;
        var pass = document.form.pass.value;
        if ( pass == "" ) {
            alert("Invalid Password!");
        } else {
            location = user.toLowerCase() + "/" + pass.toLowerCase() + ".html";
        }
    }
    //-->
    </script>
    </p>
    <form name="form">
    <font face="verdana">
    <table style="margin: auto;">
    <tr>
        <td><span style="color: green">User:</span></td>
        <td><input type="text" name="user" size="15" /></td>
    </tr>
    <tr>
        <td><span style="color: green">Pass:</span></td>
        <td><input type="password" name="pass" size="15" /></td>
    </tr>
    <tr>
        <td></td>
        <td align="center">
            <input type="button" value="Login" name="login" onclick="go()">
        </td>
    </tr>
    </table>
    </font>
    </form>
    <div id="madeby">Challenge made by soulslayer.</div>
    </div>
    </body>
    </html>


What interests us the most is the following comment within the source code.
<!-- soulslayer:2aBl6E94IuUfo or guess it....-->
It seems to be telling us to bruteforce the hashed password. xDDD
However, further analysis of the following code snippet seems to tell us that if we got the username and password correct. We should be redirected to another page.
location = user.toLowerCase() + "/" + pass.toLowerCase() + ".html";
So what if we directly access the following link:
http://www.net-force.nl/challenge/level103/soulslayer/2abl6e94iuufo.html
It seems to re-direct us back to the main page of Net-Force.nl
But what if we go to the parent directory of this file?
It seems to be working and we are able to see the following image.


If we click on blaat.html and access it, we will be greeted with the following sentence. :D
The password for this challenge is: blaataap
As we can see, we solved this. :D


Ok, another way to approach this is probably using "John The Ripper" .
If we run it with the following command
john.exe --show soul.txt
We will  see this:




From the image, we can see that we got the decrypted password to be "blaat" which is the same as what we found out earlier. So basically, we can approach this challenge in 2 ways. :D

Cheers
0x4A61636F62

Tuesday, June 12, 2012

Solution for Net-Force.nl : Level 102 - This won't take long...

Continuing from our last blog post, we are going to solve Level 102 from Net-Force.nl
The link to the original challenge: http://www.net-force.nl/challenge/level102/

After accessing the above link, the only hints given to us are:
Find the right password and use it on the challenge page!
Again, i quickly view the source code of the page and we can see the following source code.

<title>:: Net-Force Challenge - 102 ::</title>
<link href="../../css/challenge.css" rel="stylesheet" type="text/css"></link>
<div id="challenge">
<h1>
This won't take long...</h1>
Find the right password and use it on the challenge page!

<script type="text/javascript">
    var numletter="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

    function submitentry(){
        verification = document.getElementById("passwd").value;

        alert("Searching.");
        alert("Searching..");
        alert("Searching...");

        password = numletter.substring(11,12);
        password = password + numletter.substring(18,19);
        password = password + numletter.substring(23,24);
        password = password + numletter.substring(16,17);
        password = password + numletter.substring(24,25);
        password = password + numletter.substring(1,4);

        if(verification == password){
            alert("Well done, you've got it!");
        } else {
            alert("Nahh, thats wrong!");
        }
    }
   
</script>

<form action="index.php" method="post">
<input id="passwd" name="passwd" size="16" type="password" />
<input name="submit" onclick="submitentry(); return false;" type="submit" value="Enter" /></form>
</div>


It seems that the password is within the source code but require some editing.
To solve this in a simple manner for us, just save that page.
Now let's edit the file that we had just saved and add this line
alert(password);
before the following source code.
...
if(verification == password){
alert("Well done, you've got it!");
} else {
alert("Nahh, thats wrong!");
}

Doing so, even if we enter a wrong password. We will see the actual password eventually like the following image.



From the above image, we can see that the key to this challenge is "bingo123" 

Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 101 - Training - Javascript, secure?

We are here to share whatever we had learned with everyone.
This blog is just something that we have always but didn't do it. We will be trying to write more on writeups for CTFs and some challenges from other contests.

This week we will be focusing on all the Javascript challenges from Net-Force.nl
For a start, we will kick off with Level 101.

Check out the website below. It's protected with a simple JavaScript protection. Try to crack it ;)
Secret webpage
This challenge is part of the basic training. If you don't know what to do you can check out the solution

This is the link to the original challenge: http://www.net-force.nl/challenge/level101/


Obviously, everyone can just read the solution given by the website and solved this.
Without looking at the solution that was kindly provided, let's try to understand the challenge.
If we were to access the "Secret webpage",the following pop-up dialogs will prompt us to enter an username and password.




It shouldn't be too hard right? So if we do a quick "View Source" on the "Secret webpage" with our browser. We will be able to see the following source code.


<title>Secret!</title>
<script type="text/javascript">
    var username = "kiddie";
    var message1 = "Username";
    var un = prompt (message1,"");
    var password = "javascript" ;
    var message = "Password";
    var incmess = "ACCESS DENIED!!!";
    var minimizemsg = "Hi there!"
    var pw = prompt (message,"");


    if (un == username) {
        if (pw != password) {
              alert(incmess);
              window.open("./", "_self")
        } else {
            alert ("Well done, use this password on the challenge page!", "_self");
            window.open("../../challenges/", "_self")
        }
    }


    if (un != username) {
        alert(incmess);
        window.open("./", "_self")
    }  
</script>

After we had gone through the above code snippet, it's pretty obvious to us what is the required username and password to solve this challenge.


The username is kiddie and the password is javascript. :D
Time to proceed to next challenge. 


Cheers
0x4A61636F62