Nops"R"Us - Home to Doraemon.Sk8ers

Solution for Net-Force.nl : Level 107 - Having Fun?!? :-)

This is the link to the original challenge: http://www.net-force.nl/challenge/level107/

Quest:
This website is protected by HTML PROTECT 3
Enter the password like this "username:password"

View Source:

<script type="text/javascript">
d="=tdsjqu mbohvbhf> KbwbTdsjqu ?=!..  gvodujpo tipxmphjo(*|  epdvnfou/xsjufmo('=cs?=cs? +#'*< J#ubcmf xjeui> 457  cpsefs> 3  dfmmtqbdjoh> 1 3#qbee 3#bmjho> dfoufs  ifjhiu> 223  :$ :$s?=ue O#52  chdpmps> #7273:F `# `#ejw >$?=gpou  d#GGGGGG  gbdf> Dpvsjfs Ofx-  0#- npop ?=c ^#tj{f> 8 ?Vtfs M i&=0 =#?=0c? .#ejw `$ `$0ue?=0 I%s H# h%e i 5& d%GGCEPP d% \\#gpsn obnf> qbttxpse 6#  poTvcnju> joqvu(*< ? 8&mfgu z# z#UBCMF dfmmTqbdjoh>1 1#Qbee 1#xjeui> 211%  cpsefs>1?=UCPEZ z# z#JOQVU uzqf> ijeefo  ,%vtfs -#  wbmvf> efgbvmu ?=c L& p$S?=UE U$21 if Z&44?&octq<=0UE `# `# \\#8 \\#=GPOU gbdf> Wfsebob- Bsjbm- Ifmwfujdb- tbot.tfsjg  tj{f>2?=C 4$ 4$ w# v# W#3?Qbttxpse=0 F#?=0C? .#UE L% n$ 1$ u&dmbtt>joqvu uzqf>q /$ ?$1 obn 9# r# r# L$0 z&0UCPEZ +#BCMF T#o('&octq< )# /# 5#= g$ Tvcnju   `$ 2#wbmvf> Mphjo Opx  @$ q$ejw?=0gpsn?=0ue (#s (#bcmf Y#~<  gvodujpo  F$(*  |qe> s# %& j# 0#/ O$/upVqqfsDbtf( r#vs [#n/vtfs 6% [#  jg ((vs!>vs*   }}(qe>>voftdbqf( %36%41%41 ,#3%46 ,#4%43 *** | ?$dppljf> IUNMQ K$VtfsJE> ,vs< L# L# +#X L#qe< .%epl(*<~fmtf|bmfsu(  p#bddpvou;  v#,   fssps ! * )$pqfo( 3#mpdb {&/isfg> iuuq;00xxx/gffunbo/dpn <~<~<  gvod P# ofn(*|sfuvso usvf~<xjoepx/po >$> G#<wbs u85<em >  =$bzfst<eb 8#bmm<hf 5#hfuFmf .#CzJe<xt >  /$tjefcbs )$nth>   .#c:8< m$ ?& | n% 3#xsjuf(voftdbqf( %4Diunm%4F -#fbe -#ujumf%4FOfu%31Gpsdf%4D%3G <# 1# T#cpez -#tdsjq Y#uzqf%4E%33ufyu%3Gkbwb A#3%31mbohvbh H#KbwbT A#tsd <#tib2%3Fkt ;# C$ k# ;$ ;$ ;$ ;$ #$2%3E%3E%31Tubs y#Ijejoh ($if :# U#1E%1B )#gvodujpo%31wbmjebuf%39%3:%31%8C N#31%31jg +#9%39epdvnfou%3FMphjoGpsn%3Fm /#%3Fwbmvf 3#fohui Y#4F%311 z#37%37 o# l#3Fqbttxpse o# o# o$ )# S$4E )$ r$4 d# K$ c# i$ f# `# v& _$6Gtib2%4EdbmdTIB2%39 Z$: U$ U$ Y# <# X# ^#hppe%6G $&%332e42e:5g41e51eg8:62616e2145f2f:34e13fd5:%33 E% x#%6G 8&%333e8b45d:fg9fgb3dgeg5c9:286g8fefd2de1eeeb w# u$31jg +#9 $& b%%4E 8%3: M#7%37 V# 7& R# 6& T#8 q& G$ ,#bmfsu P$8Xfmm%31Epof%32%38 l# 0% i#8E%31fmtf @$ T# )#epdvnfou%3Fmpdbujpo o&8iuuq%4B%3G%3Gxxx%3Fgffunbo%3Fdpn ]$ &$ W$ G# l$ W# r# u$ u$ u$ u$ o$ >$ 3% G#sfuvso%31gb 4%4 z& R# \\$%31Tupq%31Ijejoh%31tdsjqu ,$E%3E )#4F%4D%3G ># 2#ubcm =&xjeui \\%3311%33%31ifjhiu 8#: 7#bmjh *&3dfoufs :#cpsefs ;# M# &$s +#e%31dmbtt E#uyu G# i# /#gpsn%31obnf L#MphjoG 9# F$dujp G$ .$ 1% L$ v$ :# [%2 [%6 z$ z$ Z$%4B ^&ue R# O%joqvu%31uzq D%uf B# X%m {# 8#tj{ 8# _& 6$ .# p$ x$ I$Qbttxpse {$ U# {$q j# %% ;# (% (% .#bcmf :$%33tvcnj :&wbmv :#T :#poDmjdl <#sfuvso P#jebuf%39%3:%4C R$gpsn 0#dfouf X$ n$ n$%3Gcpez 0#iunm 0#1E%1B **< epdvnfou/dmptf(*<  ~<  xjoepx/pqfo(voftdbqf( %79%85%85%81%4B%3G%3G%88%88 )#3F%7E%7:%7F )# P#84%76%83%87 ,# P#F /#5 *- Vosfhjtufs - xjui>361-ifjhiu>291 *<tipxmphjo(*<=0TDSJQU? ";
e=unescape("%25%36%43%25%33%44%25%32%37%25%35%43%25%33%30%25%30%31%25%30%32%25%30%33%25%30%34%25%30%35%25%30%36%25%30%37%25%30%38%25%35%43%25%37%34%25%35%43%25%36%45%25%30%42%25%30%43%25%35%43%25%37%32%25%30%45%25%30%46%25%31%30%25%31%31%25%31%32%25%31%33%25%31%34%25%31%35%25%31%36%25%31%37%25%31%38%25%31%39%25%31%41%25%31%42%25%31%43%25%31%44%25%31%45%25%31%46%25%32%30%25%32%31%25%32%32%25%32%33%25%32%34%25%32%35%25%32%36%25%35%43%25%32%37%25%32%38%25%32%39%25%32%41%25%32%42%25%32%43%25%32%44%25%32%45%25%32%46%25%33%30%25%33%31%25%33%32%25%33%33%25%33%34%25%33%35%25%33%36%25%33%37%25%33%38%25%33%39%25%33%41%25%33%42%25%33%43%25%33%44%25%33%45%25%33%46%25%34%30%25%34%31%25%34%32%25%34%33%25%34%34%25%34%35%25%34%36%25%34%37%25%34%38%25%34%39%25%34%41%25%34%42%25%34%43%25%34%44%25%34%45%25%34%46%25%35%30%25%35%31%25%35%32%25%35%33%25%35%34%25%35%35%25%35%36%25%35%37%25%35%38%25%35%39%25%35%41%25%35%42%25%35%43%25%33%31%25%33%33%25%33%34%25%35%44%25%35%45%25%35%46%25%36%30%25%36%31%25%36%32%25%36%33%25%36%34%25%36%35%25%36%36%25%36%37%25%36%38%25%36%39%25%36%41%25%36%42%25%36%43%25%36%44%25%36%45%25%36%46%25%37%30%25%37%31%25%37%32%25%37%33%25%37%34%25%37%35%25%37%36%25%37%37%25%37%38%25%37%39%25%37%41%25%37%42%25%37%43%25%37%44%25%37%45%25%37%46%25%32%37%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%32%37%25%32%37%25%33%42%25%30%44%25%30%41%25%36%36%25%36%46%25%37%32%25%32%30%25%32%38%25%36%39%25%33%44%25%33%30%25%33%42%25%36%39%25%33%43%25%36%34%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%33%42%25%36%39%25%32%42%25%32%42%25%32%39%25%37%42%25%30%44%25%30%41%25%36%31%25%33%44%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%39%25%32%39%25%32%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%33%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%32%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%30%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%33%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%33%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%34%25%32%39%25%32%30%25%36%31%25%33%44%25%33%33%25%33%34%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%43%25%33%44%25%33%33%25%33%31%25%32%30%25%32%36%25%32%30%25%36%31%25%33%45%25%33%44%25%33%31%25%33%34%25%32%39%25%37%42%25%30%44%25%30%41%25%36%46%25%36%36%25%36%36%25%33%44%25%37%33%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%32%44%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%36%25%32%42%25%33%39%25%33%30%25%32%41%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%35%25%32%39%25%32%39%25%32%44%25%33%31%25%33%42%25%30%44%25%30%41%25%36%43%25%37%30%25%33%44%25%36%46%25%36%36%25%36%36%25%32%42%25%36%31%25%32%44%25%33%31%25%33%34%25%32%42%25%33%34%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%37%33%25%32%42%25%37%33%25%32%45%25%37%33%25%37%35%25%36%32%25%37%33%25%37%34%25%37%32%25%36%39%25%36%45%25%36%37%25%32%38%25%36%46%25%36%36%25%36%36%25%32%43%25%36%43%25%37%30%25%32%39%25%33%42%25%37%44%25%30%44%25%30%41%25%36%35%25%36%43%25%37%33%25%36%35%25%32%30%25%37%42%25%32%30%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%45%25%33%44%25%33%34%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%36%31%25%32%44%25%33%31%25%33%42%25%32%30%25%37%33%25%33%44%25%37%33%25%32%42%25%36%43%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%31%25%32%39%25%33%42%25%37%44%25%37%44%25%33%42%25%36%34%25%36%46%25%36%33%25%37%35%25%36%44%25%36%35%25%36%45%25%37%34%25%32%45%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%32%38%25%37%33%25%32%39%25%33%42%25%30%44%25%30%41");

e=unescape(e);eval(e);
</script>

Variable e looks suspicious lets alert its content out and we got this

l='\0        \t\n  \r                   !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\134]^_`abcdefghijklmnopqrstuvwxyz{|}~';
s='';
for (i=0;i<d.length;i++){
a=l.indexOf(d.charAt(i));
if (a==1) a=9;
if (a==2) a=10;
if (a==3) a=13;
if (a==4) a=34;
if (a<=31 & a>=14){
off=s.length-(l.indexOf(d.charAt(++i))-36+90*(l.indexOf(d.charAt(++i))-35))-1;
lp=off+a-14+4;
s=s+s.substring(off,lp);}
else { if (a>=41) a=a-1; s=s+l.charAt(a);}};document.write(s);

what is variable s that this script is trying to write? lets alert it out.

<script language="JavaScript"><!--
function showlogin(){
document.writeln('<br><br><br><br>');
document.writeln('<table width="346" border="2" cellspacing="0" cellpadding="0" align="center" height="112">');
document.writeln('<tr><td height="41" bgcolor="#61629E">');
document.writeln('<div align="center"><font color="#FFFFFF" face="Courier New, Courier, mono"><b><font size="7">User Login</font></b></font></div>');
document.writeln('</td></tr><tr>');

document.writeln('<td hight="111" bgcolor="#FFBDOO">')
document.writeln('<form name="passwordform" onSubmit="input();"><div align="left">');
document.writeln('<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0><TBODY>');
document.writeln('<INPUT type="hidden" name="username" value="default"><br>');
document.writeln('<TR><TD width=10 height=33>&nbsp;</TD>');
document.writeln('<TD width=70 height=33><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1><B>');
document.writeln('<FONT face=Verdana size=2>Password</FONT></B></FONT></TD><TD width=100 height=33>');
document.writeln('<INPUT class=input type=password size=20 name=password >');
document.writeln('</TD></TR></TBODY></TABLE>');
document.writeln('&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="Submit"  name="Submit" value="Login Now">');
document.writeln('</div></form></td></tr></table>');
};

function input()
{

pd=document.passwordform.password.value.toUpperCase();
ur=document.passwordform.username.value.toUpperCase();
if ((ur!=ur) ||(pd==unescape("%25%30%30%25%32%35%25%33%32"))) {

   document.cookie="HTMLPasswordUserID="+ur;

   document.cookie="HTMLPasswordPassWD="+pd;

   passwdok();

else{

   alert("Useraccount: "+ur+ " error !");

   document.open();

   document.location.href="http://www.feetman.com";

;};

function nem(){return true};

window.onerror = nem;

var t74;

dl = document.layers;

da = document.all;

ge = document.getElementById;

ws = window.sidebar;

var msg="";

var b97;

function passwdok() {

document.open();

document.write(unescape("%3Chtml%3E%3Chead%3E%3Ctitle%3ENet%20Force%3C%2Ftitle%3E%3C%2Fhead%3E%3Cbody%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20language%3D%22JavaScript%22%20src%3D%22sha1%2Ejs%22%3E%3C%2Fscript%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20language%3D%22JavaScript%22%3E%3C%21%2D%2D%20Start%20Hiding%20the%20Script%0D%0A%0D%0Afunction%20validate%28%29%20%7B%0D%0A%20%20if%20%28%28document%2ELoginForm%2Elogin%2Evalue%2Elength%20%3E%200%29%20%26%26%20%28document%2ELoginForm%2Epassword%2Evalue%2Elength%20%3E%200%29%29%20%7B%0D%0A%20%20%20%20login%3Ddocument%2ELoginForm%2Elogin%2Evalue%3B%0D%0A%20%20%20%20pass%3Ddocument%2ELoginForm%2Epassword%2Evalue%3B%20%20%20%20%0D%0A%0D%0A%20%20%20%20login%5Fsha1%3DcalcSHA1%28login%29%3B%0D%0A%20%20%20%20pass%5Fsha1%3DcalcSHA1%28pass%29%3B%0D%0A%0D%0A%20%20%20%20good%5Flogin%3D%221d31d94f30d40df7951505d1034e1e923d02ec49%22%3B%20%0D%0A%20%20%20%20good%5Fpass%3D%222d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda%22%3B%0D%0A%0D%0A%20%20%20%20if%20%28%28login%5Fsha1%3D%3Dgood%5Flogin%29%20%26%26%20%28pass%5Fsha1%3D%3Dgood%5Fpass%29%29%20%7B%0D%0A%20%0D%0A%20%20%20%20%20%20%20alert%28%27Well%20Done%21%27%29%3B%0D%0A%0D%0A%20%20%20%20%20%20%20%7D%20else%20%7B%0D%0A%0D%0A%20%20%20%20%20%20%20document%2Elocation%3D%27http%3A%2F%2Fwww%2Efeetman%2Ecom%27%0D%0A%0D%0A%20%20%20%20%20%20%20%7D%0D%0A%0D%0A%20%20%7D%20else%20%7B%0D%0A%20%20%20%0D%0A%20%20%20%20%20%20%20document%2Elocation%3D%27http%3A%2F%2Fwww%2Efeetman%2Ecom%27%0D%0A%20%20%20%20%20%20%20%20%0D%0A%20%20%20%20%20%20%20%7D%0D%0A%0D%0A%20return%20false%3B%0D%0A%0D%0A%7D%0D%0A%0D%0A%2F%2F%20Stop%20Hiding%20script%20%2D%2D%2D%3E%3C%2Fscript%3E%3Ctable%20width%3D%22200%22%20height%3D%2290%22%20align%3D%22center%22%20border%3D%220%22%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3E%3Ccenter%3E%3Cform%20name%3D%22LoginForm%22%20action%3D%22%22%3E%3Ctable%20border%3D%220%22%20align%3D%22center%22%20width%3D%22100%25%22%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3ELogin%3A%3C%2Ftd%3E%3Ctd%20class%3D%22txt%22%3E%3Cinput%20type%3D%22text%22%20name%3D%22login%22%20size%3D%2220%22%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3EPassword%3A%3C%2Ftd%3E%3Ctd%20class%3D%22txt%22%3E%3Cinput%20type%3D%22password%22%20name%3D%22password%22%20size%3D%2220%22%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput%20type%3D%22submit%22%20value%3D%22Submit%22%20onClick%3D%22return%20validate%28%29%3B%22%3E%3C%2Fform%3E%3C%2Fcenter%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3C%2Fbody%3E%3C%2Fhtml%3E%0D%0A"));

document.close();
};

window.open(unescape("%68%74%74%70%3A%2F%2F%77%77%77%2E%6D%69%6E%69%68%74%74%70%73%65%72%76%65%72%2E%6E%65%74"),"Unregister","with=250,height=180");showlogin();</SCRIPT>

what is passwdok() trying to do? what is it trying to write? lets alert it out.

<html><head><title>Net Force</title></head><body><script type="text/javascript" language="JavaScript" src="sha1.js"></script><script type="text/javascript" language="JavaScript"><!-- Start Hiding the Script

function validate() {
  if ((document.LoginForm.login.value.length > 0) && (document.LoginForm.password.value.length > 0)) {
    login=document.LoginForm.login.value;
    pass=document.LoginForm.password.value;    
    login_sha1=calcSHA1(login);
    pass_sha1=calcSHA1(pass);
    good_login="1d31d94f30d40df7951505d1034e1e923d02ec49"; 
    good_pass="2d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda";

    if ((login_sha1==good_login) && (pass_sha1==good_pass)) {
       alert('Well Done!');
       } else {
       document.location='http://www.feetman.com'
       }
  } else {

       document.location='http://www.feetman.com'

  }
 return false;
}
// Stop Hiding script ---></script><table width="200" height="90" align="center" border="0"><tr><td class="txt"><center><form name="LoginForm" action=""><table border="0" align="center" width="100%"><tr><td class="txt">Login:</td><td class="txt"><input type="text" name="login" size="20"></td></tr><tr><td class="txt">Password:</td><td class="txt"><input type="password" name="password" size="20"></td></tr></table><input type="submit" value="Submit" onClick="return validate();"></form></center></td></tr></table></body></html>

ok seems like we are near. we can see the sha1 login user id and password...

so lets visit http://www.md5decrypter.co.uk/sha1-decrypt.aspx to decrypt the password

ok the password to the challenge is bas:dude

By

3lucidat0r

Nops"R"Us - Home to Doraemon.Sk8ers

Pages

Sunday, June 17, 2012

No comments:

Post a Comment