Wednesday, September 12, 2012

Solution for bright-shadows.net : Exploit 02 Analyze This 1

Solution for bright-shadows.net : Exploit 02 Analyze This 1

This is the link to the original challenge http://www.bright-shadows.net/challenges/exploits/exploit_analyse1/index.php
However, you will need to register before you can make an attempt to solve this.


Tools Used: ---

This challenge is about Directory Traversals.

There are 2 scripts and the goal is to supply a input for the GET parameter of url so as to gain access to /user/www/index.php

Let's take a look at the first script
$url   = str_replace("../","",$_GET['url']);
$hfile = fopen("/user/www/challenges/$url", "r");
These 2 lines are the important part.

The script replaces all instances of "../" with "". As the fopen function starts in the challenges folder, you have to traverse 1 directory up to access the goal.

This filter can be easily bypassed by entering something like ".../...//index.php".
When the filter replaces the characters, the fopen function will open the following file:
/user/www/challenges/../index.php

Let's take a look at the second script
if((strpos($_GET['url'],"../") === false)
     AND (strpos($_GET['url'],"://") === false))){

     $hfile = fopen("$url", "r");
These 3 lines are the important part.

The script checks if the input contains any "../" or "://" character sequences. If there is, it displays an error page and aborts the opening of the file. In this case, we are unable to perform reverse directory traversal.

However, on a closer look, the fopen function directly uses the url parameter without any prefix or affix path. It is possible to get to the goal page by just entering the exact directory path "/user/www/index.php"

Enjoy =D

thegrayone

Solution for bright-shadows.net : Exploit 01 Easy Starter

Solution for bright-shadows.net : Exploit 01 Easy Starter

This is the link to the original challenge http://www.bright-shadows.net/challenges/exploit_long/index.php
However, you will need to register before you can make an attempt to solve this.


Tools Used: Tamper Data or Firefox Console

This is an easy warmup.

We are presented with a login page and a clue stating that the username should be at least 5 characters long but less than 20.

Let's try passing in invalid usernames.

Login with a username with less than 5 characters.
An alert box pops up saying that this is not the solution.




Next lets try logging in with a username which is more than 20 characters.
Here is where the problem is. The form input restricts the max length to 20 characters.

There is 2 ways to bypass this.

1)  Tamper Data

Tamper Data is a addon for Firefox. I highly recommend to install this addon as it will help with many of the exploit challenges on bright-shadows.net

Using Tamper Data, we can tamper the post parameters that are sent after the submit button is clicked.

2) Firefox Console

If you are using Firefox, you can bring up the Firefox console (Ctrl + Shift + K).

After which type the javascript command "document.forms[0].elements['input_user'].maxLength = 30;" into the console. This alters the html document and the form now allows you to enter up to 30 characters in the username field.

Using either method, submit a username that is longer than 20 characters and the resulting "error" page gives you the correct username and password to login with.

Enjoy =D

thegrayone

Tuesday, September 11, 2012

Solution for www.net-force.nl : Level 307 Sea Code


Solution for www.net-force.nl : Level 307 Sea Code

This is the link to the original challenge: http://www.net-force.nl/challenge/level307/

Quest:
Decode the code below and then you'll have the password for this level (password is lowercase).

- .... . .--. .- ... ... .-- --- .-. -.. ..-. --- .-. - .... .. ... .-.. . ...- . .-.. .. ... .-- . .-.. .-.. -.. --- -. .


This is quite easy. At first glance, we know that this is a morse code puzzle.
So let's use a Morse Code to Text translator.

I'm using this website's translator. :D

Using that i got back the following. :D
"THEPASSWORDFORTHISLEVELISWELLDONE"
So the password to this challenge is.
Password: "welldone"

Cheers
0x4a61636f62

Saturday, July 21, 2012

Solution for www.net-force.nl : Level 404 Hiding in a pipe

Solution for www.net-force.nl : Level 404 Hiding in a pipe

This is the link to the original challenge: http://www.net-force.nl/challenge/level404/portal.php

Quest:
Hack this 'portal' to find the password :-)


This puzzle is an easy one. The hint given to us is hiding in a pipe. The portal provide us with 3 forms which allow us to DES crypt, finger a user and ping itself. As shown below...
Now we all know that ping is a standard command... could it be that the server take in the text box value and pass it off as a command? let us try to modify ping netforce.nl to ls instead... ah... somehow it failed... there must be some sort of filtering... but wait what will happen if we were to pipe another command behind this ping? Let us try "ping netforce.nl | ls" in the textbox...


wow... we got something here.... whats in info.txt?
try this link: http://www.net-force.nl/challenge/level404/info.txt
it states... Nice one, you have finished the first part...proceed

=( continue to part 2... there is a protected folder... question is how do we get to the folder when an authentication is required...

ah... remember in the portal.php? there is a finger user textbox with a default username in it: "BasTijs". But no password is given... let us just try the username with no password... bingo we got in! It shows us the files in the protected folder and solution.php is the password to this puzzle.

Password: pijpme!

Cheers
3lucidat0r

Monday, July 9, 2012

Solution for bright-shadows.net : JavaScript - Hard but possible.

Solution for Bright-Shadows.net : JavaScript - Hard but possible.

This is the link to the original challenge: http://bright-shadows.net/challenges/levelj4/index.php

However, you will need to register before you can make an attempt to solve this. 

Quest:
Only input a valid username and you will get to the solution page.


As this is the easiest one, let's just do a quick "view-source" and we can quickly spot the following Javascript.

<script type="text/javascript">
  function testEncode(form){
    input_user = document.formular.user.value;
    if (input_user == "thebestoneisthis") {
        window.location.href="thebestoneisthis.php";
    }else{
        window.location.href=input_user +".php";
    }
}
</script>

As we can see, it is trying to validate whether our input value matches "thebestoneisthis"

You see "thebestoneisthis" and that's the password.

That's pretty easy for everyone to understand. :D


Cheers
0x4A61636F62

Solution for bright-shadows.net : Crypto - Easy starter!

Solution for Bright-Shadows.net : Crypto - Easy starter!

This is the link to the original challenge: http://bright-shadows.net/challenges/levelc1/crypto1.php
However, you will need to register before you can make an attempt to solve this. 

Quest:
The decrypted text will tell you the solution.
tedespqtcdezypozyzeqzcrpeesleespalddhzcotdlsopqufvwrcmodprq


The first thing that came to my mind for all basic crypto challenges is Caesar's Cipher.
Immediately, i thought of using this to help me to do a quick check whether my hunch is correct.
 


After some tampering with the shifting, it seems that N got to be 15. In other words, shift 11 to the right and we got back the following:
itsthefirstonedonotforgetthatthepasswordisahdefjuklgrbdsegf
The author of this challenge just concatenate it altogether and the password to the challenge is "ahdefjuklgrbdsegf" without the double quotes.

That's pretty easy for everyone to understand. :D


Cheers
0x4A61636F62

Solution for bright-shadows.net : JavaScript - Easy script

Solution for Bright-Shadows.net : JavaScript - Easy script

This is the link to the original challenge: http://www.bright-shadows.net/challenges/scripts/js5/index.php
However, you will need to register before you can make an attempt to solve this. 

Quest:
Please enter your username!


As this is the easiest one, let's just do a quick "view-source" and we can quickly spot the following Javascript.

<script type="text/javascript">
  function check() {
    pass     = unescape('%44%61%67%6F%62%65%72%74%20%44%75%63%6B');
    solution = pass.substr(0,8)+pass.substring(9,13)+pass.substring(8,9);
    passwd = document.formular.user.value;
    if (passwd == solution) {
      window.location.href=solution+".php";
    }
    else {
      alert("False!!!");
    }
  }
</script>

As we can see, it is trying to validate our input value against solution whereby solution is extracted from pass.


A simple solution to this is simply to place an alert right after the following:

passwd = document.formular.user.value;
 
alert(solution); 
 
and before the following: 
if (passwd == solution) {



You see "DagobertDuck " and that's the password. Please be reminded that there is a "space" in the end of the password.

That's pretty easy for everyone to understand. :D


Cheers
0x4A61636F62

Solution for Crackmes.de - HonestGamer's Crackme

Solution for Crackmes.de - Beezdul's Keygenme #1

This is the link to the original crackme: http://www.crackmes.de/users/honestgamer/crackme/

However, you will need to register before you can download the binary. 

Hints:
Crackme is coded in C# (.NET) using Visual Studio 2010.

=========================

The User ID should be an integer that is less than 4 digits.

The User Code should be an integer as well...

=========================

This crackme is no big deal, so best of luck! :)

Regards,
HonestGamer
Difficulty: 1 - Very easy, for newbies
Platform: Windows
Language: .NET

Published: 15. Feb, 2011

Tools Required:
ilSpy - http://wiki.sharpdevelop.net/ilspy.ashx



This is another of those level 1 as difficulty type of crackme and is a .NET binary, let's open it with ilSpy immediately and we immediately found the portion that is required to code our KeyGenMe. :D

Let's take a look at the main function for this binary.

private static void Main(string[] args){
            Console.WriteLine("Crackme By HonestGamer");
            int num = 0;
            char c;
            do
            {
                Keygen keygen = new Keygen();
                keygen.Generate();
                keygen.Check(ref num);
                if (num == 0)
                {
                    Console.Write("\nInvalid Code, Try Again (Y/N)? ");
                    c = Convert.ToChar(Console.ReadLine());
                }
                else
                {
                    c = 'N';
                    Console.WriteLine("\nValid Code, Well Done! Write A Keygen Now...");
                }
            }
            while (c == 'Y' || c == 'y');
            Console.WriteLine("\nHit The Enter Key To End...");
            Console.ReadLine();
}


As we can see from the above code snippet that we have extracted with ilSpy, it is doing a keygen.Generate and keygen before validation.

Let's take a look at the 2 functions.

private Keygen(){
            do
            {
                Console.Write("\nEnter User ID: ");
                this.UserID = Convert.ToInt32(Console.ReadLine());
                if (this.UserID > 0 && this.UserID < 10000)
                {
                    this.UFlag = 1;
                }
                else
                {
                    this.UFlag = 0;
                    Console.WriteLine("\nUser ID Is Out Of Range! Please Enter Number Less Than 4 Digits...");
                }
            }
            while (this.UFlag == 0);
            Console.Write("\nEnter Code: ");
            this.UserCode = Convert.ToInt32(Console.ReadLine());
}


private void Generate(){
            int num = this.UserID * 786;
            this.ValidCode = num * 17;
            num = this.ValidCode / 12;
            this.ValidCode = num + 1991;
}


private void Check(ref int RFlag){
            if (this.ValidCode == this.UserCode)
            {
                RFlag = 1;
            }
            else
            {
                RFlag = 0;
            }
}


Judging from the above code snippets, the UserID had to be bigger than 0 and less than 1000.
Then it uses the user's input value for UserID to generate the serial and validate it with Check function.


Based on the Generate function, it's pretty easy for us to code the solution for this KeyGenMe now that we know the inner algorithm for it.

I have developed the solution to this crackme and placed it here.
But i will release the source code later.


I do hope that people will learn from this and find it enriching. xDDD


Cheers
0x4A61636F62

Sunday, July 8, 2012

Solution for Crackmes.de - Beezdul's Keygenme #1

Solution for Crackmes.de - Beezdul's Keygenme #1

This is the link to the original crackme: http://crackmes.de/users/beezdul/keygenme_1/

However, you will need to register before you can download the binary. 

Hints:
This crackme / keygenme was made in .net; have fun cracking it! Rules : NO PATCHING!, no selfgen. You need to make a cool keygen with cool graphics and an epic chiptune. Cheers!
Difficulty: 1 - Very easy, for newbies
Platform: Windows
Language: .NET

Published: 08. Feb, 2012

Tools Required:
ilSpy - http://wiki.sharpdevelop.net/ilspy.ashx



Since the author of this Keygenme described this as difficulty 1 and is a .NET binary, let's open it with ilSpy immediately and we immediately found the portion that is required to code our KeyGenMe. :D


private void Button1_Click(object sender, EventArgs e)
{
    bool flag = this.TextBox1.TextLength != 14;
    checked
    {
        if (!flag)
        {
            flag = (Strings.Asc(this.TextBox1.Text[4]) != 45);
            if (!flag)
            {
                flag = (Strings.Asc(this.TextBox1.Text[9]) != 45);
                if (!flag)
                {
                    object left = string.Concat(new string[]
                    {
                        Conversions.ToString(this.TextBox1.Text[0]),
                        Conversions.ToString(this.TextBox1.Text[1]),
                        Conversions.ToString(this.TextBox1.Text[2]),
                        Conversions.ToString(this.TextBox1.Text[3]),
                        "-",
                        Conversions.ToString(Strings.Asc(this.TextBox1.Text[0]) + Strings.Asc(this.TextBox1.Text[2]) * 10 + 3324),
                        "-"
                    });
                    object right = Strings.Asc(this.TextBox1.Text[1]) + Strings.Asc(this.TextBox1.Text[3]) * 10 + 1000;
                    flag = Conversions.ToBoolean(Operators.NotObject(Operators.CompareObjectEqual(this.TextBox1.Text, Operators.ConcatenateObject(left, right), false)));
                    if (!flag)
                    {
                        Interaction.MsgBox("Great job! Make a keygen!", MsgBoxStyle.Information, null);
                        return;
                    }
                }
            }
        }
        Interaction.MsgBox("You Failed :( Keep trying!", MsgBoxStyle.Information, null);
    }
}
Analysing the Algorithm behind this Crackme:
As we can see from the extracted code from the crackme, the length of the serial had to have a length of 14 and the 5th and 10th character had to be "-" without the double quotes if we look up http://www.asciitable.com/

The first 4 characters can be any random characters, the 1st and 3rd character of the 4 random characters are used to generate the 2nd set in the serial and the 2nd & 4th character of the 4 random characters are used to generate the 3rd set in the serial.

It's pretty easy now for us to code the solution for this KeyGenMe now that we now the inner algorithm for this crackme.

I have developed the solution to this crackme and placed it here.
But i will release the source code later.


I do hope that people will learn from this and find it enriching. xDDD


Cheers
0x4A61636F62

Friday, July 6, 2012

Solution for bright-shadows.net : JavaScript - Hash the future!

Solution for Bright-Shadows.net : JavaScript - Hash the Future!

This is the link to the original challenge: http://www.bright-shadows.net/challenges/scripts/js3/index.php
However, you will need to register before you can make an attempt to solve this. 

Quest:
Immediately, we are an alert of "No, no, no. Try it again." Let's just do a quick "view-source" and we can quickly spot the following Javascript.

<script type="text/javascript">
  date = new Date();
  year = date.getYear();
  add  = year;
  for (i = 1; i<= year;i++)
  {
    add +=year+i;
  }
  alert(add);
  if (add == 395425559298)
  {
    alert("Good job! You got it!");
    window.location.href=year+".php";
  }
  else
  {
    alert("No, no, no. Try it again!");
    window.location.href="/hackchallenge.php";
  }
</script>
 As we can see, it's trying to use the year to do some additions and check whether the final is equal to 395425559298.

Well after some tampering of the script, we found out that the value for year must be 513436 in order to solve this.

Cheers
0x4A61636F62
 

Solution for bright-shadows.net : JavaScript - Often used but easy to solve.

Solution for Bright-Shadows.net : JavaScript - Often used but easy to solve.

This is the link to the original challenge: http://www.bright-shadows.net/challenges/scripts/js1/index.php
However, you will need to register before you can make an attempt to solve this. 

Quest:
Password


Immediately, we are prompted to enter the password. Let's just do a quick "view-source" and we can quickly spot the following Javascript.

<script type="text/javascript">
  function password () {
    var d1, d2, d3, d4, d5, input;
    d1=window.document.bgColor;
    d2=window.document.linkColor;
    d3=d1.substring (1,5)+d2.substring (1,3);
    d4=d3.toUpperCase ();
    input=prompt("Password:","");
    if (input!=d3 && input!=d4) {
      alert("Are you crazy? Thats so easy!");
      window.location.href="/hackchallenge.php";
    }
    else {
      window.location.href=d3+".php";
    }
  }
</script>
<body onLoad="password()" class="usual" link="#FF9900" bgcolor="#D0D0D0">



As we can see, we are required to have d3 or d4 as password. 
Well, the easy way to solve this challenge is to either manually write out the substring or save the entire page and add the following line of code
alert(d4);
 
right before  
 
input=prompt("Password:",""); 
 
We will see an alert with D0D0FF and that is our answer for this challenge. 

That's pretty easy for everyone to understand. :D


Cheers
0x4A61636F62

Solution for bright-shadows.net : JavaScript - First one and very easy to do.

Solution for Bright-Shadows.net : JavaScript - First one and very easy to do.

This is the link to the original challenge: http://www.bright-shadows.net/challenges/scripts/js1/index.php
However, you will need to register before you can make an attempt to solve this. 

Quest:
Please enter your username!


As this is the easiest one, let's just do a quick "view-source" and we can quickly spot the following Javascript.

<script type="text/javascript">
  function usercheck() {
    input_user=document.formular.user.value;
    if (input_user=="warmup") {
      window.location.href=input_user +".php";
    }
    else {
      alert("Go home!");
      window.location.href="http://www.disney.com";
    }
  }
</script>

As we can see, the username is warmup and eventually we should be redirected to warmup.php and you can see "Well Done"

That's pretty easy for everyone to understand. :D


Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 601 - Keep walking...

Solution for Net-Force.nl : Level 601 - Keep walking...

This is the link to the original challenge: http://www.net-force.nl/challenge/level601/

Quest:
This is a challenge to test your basic programming skills.

Pseudo code:
Set X = 1
Set Y = 1
Set previous answer = 1

answer = X * Y + previous answer + 3

After that => X + 1 and Y + 1 ('answer' becomes 'previous answer') and repeat this till you have X = 525.

The final answer is the value of 'answer' when X = 525. Fill it in below to check if it's the correct answer. If it is, you will get the password for the challenge page.

Example:
5 = 1 * 1 + 1 + 3
12 = 2 * 2 + 5 + 3
24 = 3 * 3 + 12 + 3
........................
........................

Since this is a programming challenge, let's look at the clues given to us.
Set X = 1
Set Y = 1
Set previous answer = 1

answer = X * Y + previous answer + 3
So we need 3 variables, x, y and answer as we can reuse "answer" as "previous answer". This will translate to something like the following.
x=1
y=1
answer = 1
answer = x * y + answer + 3
Based on the hints given, i've finally code an python script that gave me the answer.
import os, sys

def main():
    x=1
    y=1
    answer = 1

    for z in range(0,525):
        answer = x * y + answer + 3
        x+=1
        y+=1
        if x==524:
            print("\nprevious answer = %d") % (answer)
    print("\nx=%d, y=%d\nanswer = %d") % (x,y,answer)

if __name__ == '__main__':
    main()
Running my own script, i got back this:
previous answer = 47823644

x=526, y=526
answer = 48373851
Entering the answer in the challenge page and we smelled success again.


So the answer for this challenge is "pr0ggen"


Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 804 - Nice colors eh?

Solution for Net-Force.nl : Level 804 - Nice colors eh?

This is the link to the original challenge: http://www.net-force.nl/challenge/level804/

Quest:
Uhm ok, get the password out of this image...it's a dutch word :)


Required Tools:
Gimp -  http://www.gimp.org/
AsciiTable - http://www.asciitable.com/

Logic Behind this Challenge:
Ok, from what i can see right now, the image seems to be in different shades of a similar colour.
Using Gimp, i have derived the following HTML notation for the colours:
8B8B61, 8B8B61, 8B8B70, 8B8B6A, 8B8B65, 8B8B73


As we can see, the HTML notation for all the colours differ slightly. So let's try converting the last portion of each colour from Hex back to Ascii.

The word that we got back is aapjes and that is the password to this particular challenge.


 
Cheers
0x4A61636F62

Thursday, July 5, 2012

Solution for Net-Force.nl : Level 402 - Oops, a typo...

Solution for Net-Force.nl : Level 402 - Oops, a typo...

This is the link to the original challenge: http://www.net-force.nl/challenge/level402/

Quest:
This challenge consists of two parts.

Just start here.

Required Tools:
Live HTTP Headers - http://livehttpheaders.mozdev.org/

Logic Behind the Challenge:
When we try to access http://www.net-force.nl/challenge/level402/protected.php
We will see the following image:
From the error in the image, it seems that it is expecting some sort of input variable, ip and that ip had to be from 213.75.238.147
Ok, let's try feeding a parameter to the url like this:
http://www.net-force.nl/challenge/level402/protected.php?ip=213.75.238.147

By doing so, we have solved 1 half of the challenge and we will see this.
Congratz...You have solved the first part :)

Proceed

If we access the link given directly, we will land up on 
http://www.net-force.nl/challenge/level402/auth.php?denied
The clue is "Access Denied"

Maybe let's try to view it with Live HTTP Headers


It seems to us that it's trying to do a GET to 
http://www.net-force.nl/challenge/level402/auth.php?show=no
Then it redirect us to

http://www.net-force.nl/challenge/level402/auth.php?denied

So the question now for us is...what if we change value for parameter, show, to yes instead of no

The url would look like this:
http://www.net-force.nl/challenge/level402/auth.php?show=yes

Doing so and we will be greeted with 
The password is: expl017
So there we have it, the password for this particular challenge is expl017
 
Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 401 - Training - Nice include system ;)

Solution for Net-Force.nl : Level 401 - Nice include system ;)


Quest:
Exploit this include system and use it to obtain the password file of the system.
The password for user NetForce is also the password for the challenge page!

This challenge is part of the basic training. If you don't know what to do you can check out the solution.

Required Tools:

Logic Behind the Challenge:
At first glance, it seems like it should a SQLi or LFI problem.
Since the hints given are "The password for user NetForce is also the password for the challenge page!"
Ok, let's try LFI by changing challenge.php to ../etc/passwd

Awesome, we got back the following. :D
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/bin/false
gdm:x:42:42::/var/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
NetForce:2J3OLLk8Ys6/k:500:500:NetForcec:/home/NetForce:/bin/bash
squid:x:23:23::/var/spool/squid:/dev/null
named:x:25:25:Named:/var/named:/bin/false
pcap:x:77:77::/var/arpwatch:/bin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash 

Since the hints implied that the user is NetForce.
Let's try using John The Ripper to find out the answer.

C:\john179\run>john.exe --show 1.txt
NetForce:koe

1 password hash cracked, 0 left

C:\john179\run>
As we can see above, the password to this challenge is "koe"

Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 403 - Source Cooking!

Solution for Net-Force.nl : Level 403 - Source Cooking!

This is the link to the original challenge: http://www.net-force.nl/challenge/level403/index.php

Quest:
Gain access to this script!

Challenge


Btw, we've got a new option to view the source of this page! Neat eh?

View Source
 

Tools Required:
Cookie Manager+ - https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
 
Logic Behind the Challenge:
Let's take a look at the source of that page and we can see the following source code as shown in the image below.




So if we change the parameter from index.html to http://www.net-force.nl/challenge/level403/source.php?url=challenge.php


All that was returned is "Only HTML files allowed!"

Hmmm..let's try doing a null-byte injection "%00.html" without the double quotes right behind the url again. Null Byte Injection is an active exploitation technique that was used very frequently in the past to bypass sanity checking filters.

This time round, we smelled some success here.


Ahhh...this seems much easier now. So it expects a cookie with the md5 hash value of NetForce.


Ok, let's fire up Cookie Manager+ and add in the following cookie.



After we have added the cookie, let's try to access the challenge.php page again and this time round, you should see the password, CookieMonster




I do hope that someone learned something from here.


Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 701 - Hey, where are you from?

Solution for Net-Force.nl : Level 701 - Hey, where are you from?

This is the link to the original challenge: http://www.net-force.nl/challenge/level701/index.php

Quest:
When all the HTTP vars are [OK] you will find the password!
Forwarded: (politie.nl)[FAILED]
OS: (Unix)[FAILED]
Via: (net-force.nl)[FAILED]

Tools Required:
 
Logic Behind this challenge:
Well from initial analysis, it seems that the author of this challenge wanted us to fake our data to conform to what he / she wanted.

So let's use Modify Headers and fill it with these information as shown in the image below.
After we have started it, and we try to refresh the challenge page. It will look like this.


It seems like we are required to get it right if we use a Mac or Ubuntu. But in this case, i prefer to use User Agent Switcher and changed it to Android user agent.


After changing to that, we smelled success and immediately. The answer appeared right before our eyes.





The password is: httpheaders


Cheers
0x4A61636F62

Tuesday, July 3, 2012

Solution for Net-Force.nl : Level 805 - Another picture!

Solution for Net-Force.nl : Level 805 - Another Picture!

This is the link to the original challenge: http://www.net-force.nl/challenge/level805/index.php

Quest:
Another dutch word is hidden in this image ;)


Logic Behind this Challenge:
At first glance, the top left hand corner of the image seems a bit distorted.
So i guess, maybe i should open it with Notepad or other similar tools.

One thing that caught my notice is this particular string at the end of the image.


Hmmm...seems like some sort of Binary.
Let's convert this piece of Binary back to Ascii and see what does it return to us.
Awesome, we got back "koekj3s" and that is the password to this particular challenge. :D

It seems easy but i believe such techniques are being used in some cases in the past when people try to hide data that they stolen from companies..


Cheers
0x4A61636F62


Solution for Net-Force.nl : Level 802 - Go Holland Go!

Solution for Net-Force.nl : Level 802 - Go Holland Go

This is the link to the original challenge: http://www.net-force.nl/challenge/level802/index.php

Quest:
There is password hidden on this page, find it...that's all (dutch word)

110101010101010101010101010101010101010101010101

011111111111111111111111111111111111111111111110
110000000000001100111110011001111111100000000011
010000000000001100111110011001111111100000000010
111111100111111100111110011001111111100111110011
011111100111111100111110011001111111100111110010
111111100111111100111110011001111111100000000011
011111100111111100111110011001111111100000000010
111111100111111100111110011001111111100111111111
011111100111111100111110011001111111100111111110

111111100111111100000000011000000001100111111111
011111100111111100000000011000000001100111111110
111111111111111111111111111111111111111111111111
110101010101010101010101010101010101010101010101

This is probably much more obvious than the previous challenge.

If we take a much closer look and you will realised that there is a word within the flag like image.
That word is "TULP" and that is the password to this particular challenge.

Cheers
0x4A61636F62

Solution for Net-Force.nl : Level 801 - Training - Can you see me?

Solution for Net-Force.nl : Level 801 - Training - Can you see me?

This is the link to the original challenge: http://www.net-force.nl/challenge/level801/index.php

Quest:
********** Your challenge is to find it :) **********

Look at the file password.gif and you will find the password for the next challenge page easy!!!...You hope ;-)


This challenge is part of the basic training. If you don't know what to do you can check out the solution.

Obviously, there is solution provided but where's the fun and you won't learn if you looked at the answer straight away.

So let's look at all the clues given to us.
The title is "Can you see me?" and there is large gap in between the text.
Hmmmm...could it be "White text on white Background"?

Let's get to work on this and select everything on the page and you will see the following image.


Great, so we need to look at the "password.gif"
Let's view the source of that image file and you will see this:


There you go, the password to this particular challenge is "Stegano"


I wonder does people really use this type of technique to hide the "secret text" or image on top of text in Office documents? xDDD



Cheers
0x4A61636F62

Wednesday, June 20, 2012

A Trusted Java Applet to run?!@$@#?

This had been on my mind for a very long time but i haven't found the time to write about it.

I find it kind of strange to see so many websites out there that "Required a Trusted Java Applet to run" in order to download videos from various video sharing websites.

Why in the world would you want to run a Java applet which you have no access to, just to download a video?

So i took some time to see what is within the .jar file. The first target for today is http://keepvid.com
It looks normal like this.






Just by browsing the website, you won't be prompted to run the Java applet. However, if you enter a video link like the one below:

You will see that your browser will prompt you on whether you want to run the Java applet.



Let's take a look at the source code of the website now and we are able to find the location of the .jar file


By visiting http://keepvid.com/java/keepvid.213.jar we are able to download the .jar file

Basically, .jar is a container of a java compiled application. Now let's download a Java decompiler to decompile this shit. A very friendly and easy to use Java Decompiler is JD-GUI, http://java.decompiler.free.fr/

Using that, you are able to see the original source code and inspect whether KeepVid's Java applet is indeed non-malicious and safe to use.


As we can see from the image above, everything seems good. If you are really paranoid, just throw it to VirusTotal.com to let all the Anti-Virus analyse it. xDDD

Well, time to head back to solving challenges.


Cheers
0x4A61636F62



Sunday, June 17, 2012

Solution for Net-Force.nl : Level 107 - Having Fun?!? :-)

This is the link to the original challenge: http://www.net-force.nl/challenge/level107/ 

Quest:
This website is protected by HTML PROTECT 3
Enter the password like this "username:password"

View Source:
<script type="text/javascript">
d="=tdsjqu mbohvbhf> KbwbTdsjqu ?=!..  gvodujpo tipxmphjo(*|  epdvnfou/xsjufmo('=cs?=cs? +#'*< J#ubcmf xjeui> 457  cpsefs> 3  dfmmtqbdjoh> 1 3#qbee 3#bmjho> dfoufs  ifjhiu> 223  :$ :$s?=ue O#52  chdpmps> #7273:F `# `#ejw >$?=gpou  d#GGGGGG  gbdf> Dpvsjfs Ofx-  0#- npop ?=c ^#tj{f> 8 ?Vtfs M i&=0 =#?=0c? .#ejw `$ `$0ue?=0 I%s H# h%e i 5& d%GGCEPP d% \\#gpsn obnf> qbttxpse 6#  poTvcnju> joqvu(*< ? 8&mfgu z# z#UBCMF dfmmTqbdjoh>1 1#Qbee 1#xjeui> 211%  cpsefs>1?=UCPEZ z# z#JOQVU uzqf> ijeefo  ,%vtfs -#  wbmvf> efgbvmu ?=c L& p$S?=UE U$21 if Z&44?&octq<=0UE `# `# \\#8 \\#=GPOU gbdf> Wfsebob- Bsjbm- Ifmwfujdb- tbot.tfsjg  tj{f>2?=C 4$ 4$ w# v# W#3?Qbttxpse=0 F#?=0C? .#UE L% n$ 1$ u&dmbtt>joqvu uzqf>q /$ ?$1 obn 9# r# r# L$0 z&0UCPEZ +#BCMF T#o('&octq< )# /# 5#= g$ Tvcnju   `$ 2#wbmvf> Mphjo Opx  @$ q$ejw?=0gpsn?=0ue (#s (#bcmf Y#~<  gvodujpo  F$(*  |qe> s# %& j# 0#/ O$/upVqqfsDbtf( r#vs [#n/vtfs 6% [#  jg ((vs!>vs*   }}(qe>>voftdbqf( %36%41%41 ,#3%46 ,#4%43 *** | ?$dppljf> IUNMQ K$VtfsJE> ,vs< L# L# +#X L#qe< .%epl(*<~fmtf|bmfsu(  p#bddpvou;  v#,   fssps ! * )$pqfo( 3#mpdb {&/isfg> iuuq;00xxx/gffunbo/dpn <~<~<  gvod P# ofn(*|sfuvso usvf~<xjoepx/po >$> G#<wbs u85<em >  =$bzfst<eb 8#bmm<hf 5#hfuFmf .#CzJe<xt >  /$tjefcbs )$nth>   .#c:8< m$ ?& | n% 3#xsjuf(voftdbqf( %4Diunm%4F -#fbe -#ujumf%4FOfu%31Gpsdf%4D%3G <# 1# T#cpez -#tdsjq Y#uzqf%4E%33ufyu%3Gkbwb A#3%31mbohvbh H#KbwbT A#tsd <#tib2%3Fkt ;# C$ k# ;$ ;$ ;$ ;$ #$2%3E%3E%31Tubs y#Ijejoh ($if :# U#1E%1B )#gvodujpo%31wbmjebuf%39%3:%31%8C N#31%31jg +#9%39epdvnfou%3FMphjoGpsn%3Fm /#%3Fwbmvf 3#fohui Y#4F%311 z#37%37 o# l#3Fqbttxpse o# o# o$ )# S$4E )$ r$4 d# K$ c# i$ f# `# v& _$6Gtib2%4EdbmdTIB2%39 Z$: U$ U$ Y# <# X# ^#hppe%6G $&%332e42e:5g41e51eg8:62616e2145f2f:34e13fd5:%33 E% x#%6G 8&%333e8b45d:fg9fgb3dgeg5c9:286g8fefd2de1eeeb w# u$31jg +#9 $& b%%4E 8%3: M#7%37 V# 7& R# 6& T#8 q& G$ ,#bmfsu P$8Xfmm%31Epof%32%38 l# 0% i#8E%31fmtf @$ T# )#epdvnfou%3Fmpdbujpo o&8iuuq%4B%3G%3Gxxx%3Fgffunbo%3Fdpn ]$ &$ W$ G# l$ W# r# u$ u$ u$ u$ o$ >$ 3% G#sfuvso%31gb 4%4 z& R# \\$%31Tupq%31Ijejoh%31tdsjqu ,$E%3E )#4F%4D%3G ># 2#ubcm =&xjeui \\%3311%33%31ifjhiu 8#: 7#bmjh *&3dfoufs :#cpsefs ;# M# &$s +#e%31dmbtt E#uyu G# i# /#gpsn%31obnf L#MphjoG 9# F$dujp G$ .$ 1% L$ v$ :# [%2 [%6 z$ z$ Z$%4B ^&ue R# O%joqvu%31uzq D%uf B# X%m {# 8#tj{ 8# _& 6$ .# p$ x$ I$Qbttxpse {$ U# {$q j# %% ;# (% (% .#bcmf :$%33tvcnj :&wbmv :#T :#poDmjdl <#sfuvso P#jebuf%39%3:%4C R$gpsn 0#dfouf X$ n$ n$%3Gcpez 0#iunm 0#1E%1B **< epdvnfou/dmptf(*<  ~<  xjoepx/pqfo(voftdbqf( %79%85%85%81%4B%3G%3G%88%88 )#3F%7E%7:%7F )# P#84%76%83%87 ,# P#F /#5 *- Vosfhjtufs - xjui>361-ifjhiu>291 *<tipxmphjo(*<=0TDSJQU? ";
e=unescape("%25%36%43%25%33%44%25%32%37%25%35%43%25%33%30%25%30%31%25%30%32%25%30%33%25%30%34%25%30%35%25%30%36%25%30%37%25%30%38%25%35%43%25%37%34%25%35%43%25%36%45%25%30%42%25%30%43%25%35%43%25%37%32%25%30%45%25%30%46%25%31%30%25%31%31%25%31%32%25%31%33%25%31%34%25%31%35%25%31%36%25%31%37%25%31%38%25%31%39%25%31%41%25%31%42%25%31%43%25%31%44%25%31%45%25%31%46%25%32%30%25%32%31%25%32%32%25%32%33%25%32%34%25%32%35%25%32%36%25%35%43%25%32%37%25%32%38%25%32%39%25%32%41%25%32%42%25%32%43%25%32%44%25%32%45%25%32%46%25%33%30%25%33%31%25%33%32%25%33%33%25%33%34%25%33%35%25%33%36%25%33%37%25%33%38%25%33%39%25%33%41%25%33%42%25%33%43%25%33%44%25%33%45%25%33%46%25%34%30%25%34%31%25%34%32%25%34%33%25%34%34%25%34%35%25%34%36%25%34%37%25%34%38%25%34%39%25%34%41%25%34%42%25%34%43%25%34%44%25%34%45%25%34%46%25%35%30%25%35%31%25%35%32%25%35%33%25%35%34%25%35%35%25%35%36%25%35%37%25%35%38%25%35%39%25%35%41%25%35%42%25%35%43%25%33%31%25%33%33%25%33%34%25%35%44%25%35%45%25%35%46%25%36%30%25%36%31%25%36%32%25%36%33%25%36%34%25%36%35%25%36%36%25%36%37%25%36%38%25%36%39%25%36%41%25%36%42%25%36%43%25%36%44%25%36%45%25%36%46%25%37%30%25%37%31%25%37%32%25%37%33%25%37%34%25%37%35%25%37%36%25%37%37%25%37%38%25%37%39%25%37%41%25%37%42%25%37%43%25%37%44%25%37%45%25%37%46%25%32%37%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%32%37%25%32%37%25%33%42%25%30%44%25%30%41%25%36%36%25%36%46%25%37%32%25%32%30%25%32%38%25%36%39%25%33%44%25%33%30%25%33%42%25%36%39%25%33%43%25%36%34%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%33%42%25%36%39%25%32%42%25%32%42%25%32%39%25%37%42%25%30%44%25%30%41%25%36%31%25%33%44%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%39%25%32%39%25%32%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%33%39%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%32%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%30%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%33%25%32%39%25%32%30%25%36%31%25%33%44%25%33%31%25%33%33%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%44%25%33%44%25%33%34%25%32%39%25%32%30%25%36%31%25%33%44%25%33%33%25%33%34%25%33%42%25%30%44%25%30%41%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%43%25%33%44%25%33%33%25%33%31%25%32%30%25%32%36%25%32%30%25%36%31%25%33%45%25%33%44%25%33%31%25%33%34%25%32%39%25%37%42%25%30%44%25%30%41%25%36%46%25%36%36%25%36%36%25%33%44%25%37%33%25%32%45%25%36%43%25%36%35%25%36%45%25%36%37%25%37%34%25%36%38%25%32%44%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%36%25%32%42%25%33%39%25%33%30%25%32%41%25%32%38%25%36%43%25%32%45%25%36%39%25%36%45%25%36%34%25%36%35%25%37%38%25%34%46%25%36%36%25%32%38%25%36%34%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%32%42%25%32%42%25%36%39%25%32%39%25%32%39%25%32%44%25%33%33%25%33%35%25%32%39%25%32%39%25%32%44%25%33%31%25%33%42%25%30%44%25%30%41%25%36%43%25%37%30%25%33%44%25%36%46%25%36%36%25%36%36%25%32%42%25%36%31%25%32%44%25%33%31%25%33%34%25%32%42%25%33%34%25%33%42%25%30%44%25%30%41%25%37%33%25%33%44%25%37%33%25%32%42%25%37%33%25%32%45%25%37%33%25%37%35%25%36%32%25%37%33%25%37%34%25%37%32%25%36%39%25%36%45%25%36%37%25%32%38%25%36%46%25%36%36%25%36%36%25%32%43%25%36%43%25%37%30%25%32%39%25%33%42%25%37%44%25%30%44%25%30%41%25%36%35%25%36%43%25%37%33%25%36%35%25%32%30%25%37%42%25%32%30%25%36%39%25%36%36%25%32%30%25%32%38%25%36%31%25%33%45%25%33%44%25%33%34%25%33%31%25%32%39%25%32%30%25%36%31%25%33%44%25%36%31%25%32%44%25%33%31%25%33%42%25%32%30%25%37%33%25%33%44%25%37%33%25%32%42%25%36%43%25%32%45%25%36%33%25%36%38%25%36%31%25%37%32%25%34%31%25%37%34%25%32%38%25%36%31%25%32%39%25%33%42%25%37%44%25%37%44%25%33%42%25%36%34%25%36%46%25%36%33%25%37%35%25%36%44%25%36%35%25%36%45%25%37%34%25%32%45%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%32%38%25%37%33%25%32%39%25%33%42%25%30%44%25%30%41");
e=unescape(e);eval(e);
</script>
 
Variable e looks suspicious lets alert its content out and we got this
 
l='\0        \t\n  \r                   !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\134]^_`abcdefghijklmnopqrstuvwxyz{|}~';
s='';
for (i=0;i<d.length;i++){
a=l.indexOf(d.charAt(i));
if (a==1) a=9;
if (a==2) a=10;
if (a==3) a=13;
if (a==4) a=34;
if (a<=31 & a>=14){
off=s.length-(l.indexOf(d.charAt(++i))-36+90*(l.indexOf(d.charAt(++i))-35))-1;
lp=off+a-14+4;
s=s+s.substring(off,lp);}
else { if (a>=41) a=a-1; s=s+l.charAt(a);}};document.write(s);
 
what is variable s that this script is trying to write? lets alert it out.
 
<script language="JavaScript"><!--
function showlogin(){
document.writeln('<br><br><br><br>');
document.writeln('<table width="346" border="2" cellspacing="0" cellpadding="0" align="center" height="112">');
document.writeln('<tr><td height="41" bgcolor="#61629E">');
document.writeln('<div align="center"><font color="#FFFFFF" face="Courier New, Courier, mono"><b><font size="7">User Login</font></b></font></div>');
document.writeln('</td></tr><tr>');

document.writeln('<td hight="111" bgcolor="#FFBDOO">')
document.writeln('<form name="passwordform" onSubmit="input();"><div align="left">');
document.writeln('<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0><TBODY>');
document.writeln('<INPUT type="hidden" name="username" value="default"><br>');
document.writeln('<TR><TD width=10 height=33>&nbsp;</TD>');
document.writeln('<TD width=70 height=33><FONT face="Verdana, Arial, Helvetica, sans-serif" size=1><B>');
document.writeln('<FONT face=Verdana size=2>Password</FONT></B></FONT></TD><TD width=100 height=33>');
document.writeln('<INPUT class=input type=password size=20 name=password >');
document.writeln('</TD></TR></TBODY></TABLE>');
document.writeln('&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="Submit"  name="Submit" value="Login Now">');
document.writeln('</div></form></td></tr></table>');
};

function input()
{
pd=document.passwordform.password.value.toUpperCase();
ur=document.passwordform.username.value.toUpperCase();
if ((ur!=ur) ||(pd==unescape("%25%30%30%25%32%35%25%33%32"))) {
   document.cookie="HTMLPasswordUserID="+ur;
   document.cookie="HTMLPasswordPassWD="+pd;
   passwdok();
}
else{
   alert("Useraccount: "+ur+ " error !");
   document.open();
   document.location.href="http://www.feetman.com";
}
;};
function nem(){return true};
window.onerror = nem;
var t74;
dl = document.layers;
da = document.all;
ge = document.getElementById;
ws = window.sidebar;
var msg="";
var b97;
 
function passwdok() {
document.open();
document.write(unescape("%3Chtml%3E%3Chead%3E%3Ctitle%3ENet%20Force%3C%2Ftitle%3E%3C%2Fhead%3E%3Cbody%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20language%3D%22JavaScript%22%20src%3D%22sha1%2Ejs%22%3E%3C%2Fscript%3E%3Cscript%20type%3D%22text%2Fjavascript%22%20language%3D%22JavaScript%22%3E%3C%21%2D%2D%20Start%20Hiding%20the%20Script%0D%0A%0D%0Afunction%20validate%28%29%20%7B%0D%0A%20%20if%20%28%28document%2ELoginForm%2Elogin%2Evalue%2Elength%20%3E%200%29%20%26%26%20%28document%2ELoginForm%2Epassword%2Evalue%2Elength%20%3E%200%29%29%20%7B%0D%0A%20%20%20%20login%3Ddocument%2ELoginForm%2Elogin%2Evalue%3B%0D%0A%20%20%20%20pass%3Ddocument%2ELoginForm%2Epassword%2Evalue%3B%20%20%20%20%0D%0A%0D%0A%20%20%20%20login%5Fsha1%3DcalcSHA1%28login%29%3B%0D%0A%20%20%20%20pass%5Fsha1%3DcalcSHA1%28pass%29%3B%0D%0A%0D%0A%20%20%20%20good%5Flogin%3D%221d31d94f30d40df7951505d1034e1e923d02ec49%22%3B%20%0D%0A%20%20%20%20good%5Fpass%3D%222d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda%22%3B%0D%0A%0D%0A%20%20%20%20if%20%28%28login%5Fsha1%3D%3Dgood%5Flogin%29%20%26%26%20%28pass%5Fsha1%3D%3Dgood%5Fpass%29%29%20%7B%0D%0A%20%0D%0A%20%20%20%20%20%20%20alert%28%27Well%20Done%21%27%29%3B%0D%0A%0D%0A%20%20%20%20%20%20%20%7D%20else%20%7B%0D%0A%0D%0A%20%20%20%20%20%20%20document%2Elocation%3D%27http%3A%2F%2Fwww%2Efeetman%2Ecom%27%0D%0A%0D%0A%20%20%20%20%20%20%20%7D%0D%0A%0D%0A%20%20%7D%20else%20%7B%0D%0A%20%20%20%0D%0A%20%20%20%20%20%20%20document%2Elocation%3D%27http%3A%2F%2Fwww%2Efeetman%2Ecom%27%0D%0A%20%20%20%20%20%20%20%20%0D%0A%20%20%20%20%20%20%20%7D%0D%0A%0D%0A%20return%20false%3B%0D%0A%0D%0A%7D%0D%0A%0D%0A%2F%2F%20Stop%20Hiding%20script%20%2D%2D%2D%3E%3C%2Fscript%3E%3Ctable%20width%3D%22200%22%20height%3D%2290%22%20align%3D%22center%22%20border%3D%220%22%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3E%3Ccenter%3E%3Cform%20name%3D%22LoginForm%22%20action%3D%22%22%3E%3Ctable%20border%3D%220%22%20align%3D%22center%22%20width%3D%22100%25%22%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3ELogin%3A%3C%2Ftd%3E%3Ctd%20class%3D%22txt%22%3E%3Cinput%20type%3D%22text%22%20name%3D%22login%22%20size%3D%2220%22%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%20class%3D%22txt%22%3EPassword%3A%3C%2Ftd%3E%3Ctd%20class%3D%22txt%22%3E%3Cinput%20type%3D%22password%22%20name%3D%22password%22%20size%3D%2220%22%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput%20type%3D%22submit%22%20value%3D%22Submit%22%20onClick%3D%22return%20validate%28%29%3B%22%3E%3C%2Fform%3E%3C%2Fcenter%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3C%2Fbody%3E%3C%2Fhtml%3E%0D%0A")); 
document.close();
};

window.open(unescape("%68%74%74%70%3A%2F%2F%77%77%77%2E%6D%69%6E%69%68%74%74%70%73%65%72%76%65%72%2E%6E%65%74"),"Unregister","with=250,height=180");showlogin();</SCRIPT>
 
what is passwdok() trying to do? what is it trying to write? lets alert it out.
 
<html><head><title>Net Force</title></head><body><script type="text/javascript" language="JavaScript" src="sha1.js"></script><script type="text/javascript" language="JavaScript"><!-- Start Hiding the Script

function validate() {
  if ((document.LoginForm.login.value.length > 0) && (document.LoginForm.password.value.length > 0)) {
    login=document.LoginForm.login.value;
    pass=document.LoginForm.password.value;    
    login_sha1=calcSHA1(login);
    pass_sha1=calcSHA1(pass);
    good_login="1d31d94f30d40df7951505d1034e1e923d02ec49"; 
    good_pass="2d7a34c9ef8efa2cfdf4b89175f7edec1cd0ddda";

    if ((login_sha1==good_login) && (pass_sha1==good_pass)) {
       alert('Well Done!');
       } else {
       document.location='http://www.feetman.com'
       }
  } else {
       document.location='http://www.feetman.com'
  }
 return false;
}
// Stop Hiding script ---></script><table width="200" height="90" align="center" border="0"><tr><td class="txt"><center><form name="LoginForm" action=""><table border="0" align="center" width="100%"><tr><td class="txt">Login:</td><td class="txt"><input type="text" name="login" size="20"></td></tr><tr><td class="txt">Password:</td><td class="txt"><input type="password" name="password" size="20"></td></tr></table><input type="submit" value="Submit" onClick="return validate();"></form></center></td></tr></table></body></html>
 
ok seems like we are near. we can see the sha1 login user id and password... 
so lets visit http://www.md5decrypter.co.uk/sha1-decrypt.aspx to decrypt the password