Thursday, June 14, 2012

Solution for Net-Force.nl : Level 103 - Is this safe...?!?

We are trying to present our writeups in the best possible way for everyone to understand.
Today, the solution will be on solving Level 103 from Net-Force.nl
The link to the original challenge: http://www.net-force.nl/challenge/level103/

After accessing the above link, the only hints given to us are:
Login using the form below, or bypass it.
Again, let's take a quick view of the page's source code and we are able to see the following source code.

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl">
    <head>
    <title>:: Net-Force Challenge - 103 ::</title>
    <link href="../../css/challenge.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div id="top">
    <img src="../../images/challenge_logo.png" alt="" />
    </div>
    <div id="challenge">
    <h1>Is this safe...?!?</h1>
    <p>
    Login using the form below, or bypass it.<br /><br />
    <!-- soulslayer:2aBl6E94IuUfo or guess it....-->
    <script type="text/javascript">
    <!--
    // /\
    // / \
    // | | |
    // \ \/
    // / | |
    // \ /
    // \ / oulslayer

    function go() {
        var user = document.form.user.value;
        var pass = document.form.pass.value;
        if ( pass == "" ) {
            alert("Invalid Password!");
        } else {
            location = user.toLowerCase() + "/" + pass.toLowerCase() + ".html";
        }
    }
    //-->
    </script>
    </p>
    <form name="form">
    <font face="verdana">
    <table style="margin: auto;">
    <tr>
        <td><span style="color: green">User:</span></td>
        <td><input type="text" name="user" size="15" /></td>
    </tr>
    <tr>
        <td><span style="color: green">Pass:</span></td>
        <td><input type="password" name="pass" size="15" /></td>
    </tr>
    <tr>
        <td></td>
        <td align="center">
            <input type="button" value="Login" name="login" onclick="go()">
        </td>
    </tr>
    </table>
    </font>
    </form>
    <div id="madeby">Challenge made by soulslayer.</div>
    </div>
    </body>
    </html>


What interests us the most is the following comment within the source code.
<!-- soulslayer:2aBl6E94IuUfo or guess it....-->
It seems to be telling us to bruteforce the hashed password. xDDD
However, further analysis of the following code snippet seems to tell us that if we got the username and password correct. We should be redirected to another page.
location = user.toLowerCase() + "/" + pass.toLowerCase() + ".html";
So what if we directly access the following link:
http://www.net-force.nl/challenge/level103/soulslayer/2abl6e94iuufo.html
It seems to re-direct us back to the main page of Net-Force.nl
But what if we go to the parent directory of this file?
It seems to be working and we are able to see the following image.


If we click on blaat.html and access it, we will be greeted with the following sentence. :D
The password for this challenge is: blaataap
As we can see, we solved this. :D


Ok, another way to approach this is probably using "John The Ripper" .
If we run it with the following command
john.exe --show soul.txt
We will  see this:




From the image, we can see that we got the decrypted password to be "blaat" which is the same as what we found out earlier. So basically, we can approach this challenge in 2 ways. :D

Cheers
0x4A61636F62

No comments:

Post a Comment