Monday, 27 February 2012

Hack This Site application challenges (part 1)

i've been doing some of the hacking challenges on hackthissite.org recently. having got stuck on some of the harder realistic missions i thought i would come back to them another time and have a go at some of the application missions instead....

i am running the windows versions of the applications from hts.
if you want to do some of these challenges at the very least you're going to need a hex editor. 

for windows ht editor is alright; it runs in a command prompt, is free, and has regex searching.
in linux you've got ghex2 which does the job. even midnight commander has a hex viewer.
regular expressions are not essential, it can just speed up the searching process sometimes as you can really narrow your searches down.

Application challenge 1
when you run this app you are presented with a dialog to enter a serial number to verify the software. as we don't have the serial number we need to see if it's contained inside the executable.
so using ht editor, we can open the executable... (you can either run ht editor and then use the open command, or you can pass the executable's location as an argument on the command line)
now we can search (hit f7 in ht editor). we want to find stuff relating to the Authenticate button, so search for Authenticate...the first hit doesn't look promising. hit shift+f7 to find the next match. that's more like it, there seem to be serial number-esque strings. re-run the app, type one of those in and you'll get the password to complete the challenge.

Application challenge 2
when you run this app you are again presented with a dialog to enter a serial number. there is a massive clue in the sentence "you must be connected to the internet...". it is clearly going to contact a server as part of the verification process.
if you haven't got wireshark, now would be a good time to do so. if you're installing it in linux, you'll need to configure it to work nicely (see bottom of this post).
find the ip address of your network adapter that's connecting you to the internet, and then run wireshark.
press ctrl+i to list the available interfaces, and click the options button for the interface with the ip address you found a moment ago. in the capture filter box put in host followed by the ip address of the adapter. that will just help filter out stuff you're not interested in. press the start button to start capturing packets.

type something into the serial number box of the app and hit authenticate. it will say you've entered an incorrect serial number. go back to wireshark and stop the capture. there should be some traffic, you're looking for a dns lookup on hackthissite.org, followed by some http traffic.

you'll be able to see the get request in the list of packets. you can see the app is downloading a text file. you can open a browser and access the text file, or you can use a nifty feature of wireshark to instantly see the contents (after all, the app already downloaded the file and you captured the packets on their way through). right click on the packet with the get request then select follow tcp stream. a new window will open and you'll see the get request followed by the server's response.
try entering one of the serial numbers and authenticating.

Application challenge 3
when you run this app you are presented again with the serial number entry dialog and the same "you must be connected to the internet...". set wireshark off capturing again, put something in the serial number box and hit authenticate. find the get request and follow the tcp stream. you'll notice this time the lesson has been learned and the serial number is sent to the server for approval. i left the box blank and the server returned a value of false.
so it's fairly obvious we need to get the server to respond with true....or do we?
a quick look at http://www.hackthissite.org/missions/application/app3/ would indicate that getting the server to respond with true isn't likely to happen any time soon.
at this point two choices become apparent. we need to either redirect the application's http connection to a server under our control that can respond with true (sounds like a lot of hassle), or we can see if we can change the behaviour of the app so that it comes round to the idea of getting a false response.

make a copy of the app (so if you make a mistake you can just make another copy and try again), then open it with ht editor. search (f7, shift+f7 for next hit) for Authenticate again. the strings true and false exist in the vicinity of the search match so there's a good chance they relate to the authentication process...
switch to editing mode (f4) and use the arrow keys to navigate to where you can see true (the ascii representation of the hex value within currently selected address gets highlighted white on the right hand side of the screen. make a note of the hex values for true (74 72 75 65), now do the same for false (66 61 6C 73 65).
the easiest way to beat the authentication process then is to swap the true and false.
once you've done that, re-run the app, type whatever you like in the box and press authenticate. the app now likes the false response.

that'll do for now, will post some more as i carry on through the challenges

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete