Wednesday, August 31, 2016

Web Client / Javascript Authentication 2

Link to the challenge: Javascript Authentication 2

This challenge will probably be similar to the first two, for which I wrote articles: Javascript Authentication and Javascript Source, so I invite you to read them to be familiar with the tools we used.

Let's start. The page contains a login button, let's try to press it and see what happen.
Ok, so it asks us for a login and password. Let's check the source code of the page (Ctrl+Shift+I on Google Chrome).
We find our login button, with an 'onclick' parameter, calling a Javascript function named 'connexion()'. Let's find it.
We check the head tag of the page. As in challenge one, we find a login.js script. Let's open it in our browser.
We found the 'connexion()' function. However, it seems a bit more complicated that the first challenge (which makes sense after all ^^).
Let's have a look at it.

 function connexion(){  
   var username = prompt("Username :", "");  
   var password = prompt("Password :", "");  
   var TheLists = ["CACHÉ:HIDDEN"];  
   for (i = 0; i < TheLists.length; i++)  
   {  
     if (TheLists[i].indexOf(username) == 0)  
     {  
       var TheSplit = TheLists[i].split(":");  
       var TheUsername = TheSplit[0];  
       var ThePassword = TheSplit[1];  
       if (username == TheUsername && password == ThePassword)  
       {  
         alert("Vous pouvez utiliser ce mot de passe pour valider ce challenge (en majuscule) / You can use this password to validate this challenge (uppercase)");  
       }  
     }  
     else  
     {  
       alert("Nope, you're a naughty hacker.")  
     }  
   }  
 }  
Ok, so the username and password are asked to the user by using the 'prompt' function and are saved in variables.

Then we have a variable called 'TheLists'. Not sure what it is yet. Let's keep going for now.

It calls 'indexOf' with the username we specified as a parameter.
Not sure what this function is. Let's ask Google.
According to w3schools [indexOf()] this function search for the string passed as parameter in the string that called the function. It returns the position it found it (or -1 if not found).

I originally thought that TheLists was a string, and that TheLists.length() was returning the number of characters in the string, and the characters were accessed with TheLists[i].
But I was wrong. TheLists is an array, with only one element, the string. So TheLists.length() actually return 1, and TheLists[i] return the complete string.

So the loop is only executed once, and TheLists[i] is the string. So what it does, in the end, not only it checks if the username we entered is contained in TheLists string, but it also checks that it is located at the beginning of the string (if indexOf returns 0, it means the parameter has been found at offset 0).

If you want to check that theory, you can go back to the login page, and when asked for a username, enter some of the first letters of the TheLists string (e.g. 'C','CA','CAC'), and a random password.
You shouldn't have an error message anymore because of the username you entered. It now matches the beginning of TheLists variable. Still, you don't have the winning message either.

To get it (and find the password), you now have to figure this part by yourself:

     var TheSplit = TheLists[i].split(":");   
     var TheUsername = TheSplit[0];   
     var ThePassword = TheSplit[1];   
     if (username == TheUsername && password == ThePassword)   
     {   
      alert("Vous pouvez utiliser ce mot de passe pour valider ce challenge (en majuscule) / You can use this password to validate this challenge (uppercase)");   
     }   
Just have a look at what the w3schools [split()] function does, and it should be easy.

Web Client / Javascript Source

Link to the challenge: Javascript Source

This challenge is really similar to the first one. I wrote an article (Javascript Authentication) and if you have read it already, I highly recommend it as it will be almost identical here.
The difference here is that we don't have a form, but a pop-up that asks us for a password a soon as we load the page.
We cancel the pop-up (or enter a random password), and we have an error message.
We open the page with Google Chrome, and open the Developer Tools (Ctrl+Shift+I).
After having a quick look at the source code, we noticed that the body tag contains an onload parameter. This parameter will call the 'login()' function as soon as the page is loaded.
It seems this is what happened to us. Again, the 'login()' function seems to be a custom javascript function, so as in the previous challenge, let's check the head tag.
Here you might have a surprise but I won't spoil it for you, and will let you finish from here. It's really straight forward.

Not too much to say here if you already made the first challenge. It's even simpler than the first one actually.
Let me know if you have any question or remark about this challenge or my posts in general.
Thank you, and see you soon for another challenge

Web Client / Javascript Authentication

Link to the challenge: Javascript Authentication

Okay, so let's start the Web Client category. The first challenge seems to be about Javascript.
The challenge open a web page, that asks for a login and password.
First I tried something random, just to see what happen.
I got a pop-up alert that tells me this is the wrong password, as excepted.
However, when you know a bit about Javascript, you quickly notice that this is probably a pop-up called by the function 'alert()' in Javascript, that is used to display messages. But you don't need to know that to succeed, it just confirms what we excepted, it uses Javascript to authenticate the user.

Let's see the code of this page. I use Google Chrome and I HIGHLY recommend it for all the web stuff we will do. The developer console is REALLY useful. You can do it with Mozilla or IE, by downloading the page and opening it with a text editor, but it's much faster with Google Chrome.
When you're on the login page, just press Ctrl+Shift+I (or go to the icon on the top right of chrome, then select More Tools -> Developer Tools).
On the left, you can see your page, and on the right, the source code of the page:

By hovering the mouse on the different HTML elements on the right panel, you can see which element it corresponds to on the page (on the left panel).
We notice that our login form is wrapped on a fieldset tags. Let's expand it.
Here we find our form tags, let's expand it too.
It's a pretty standard form, except for the login button:
 <input onclick="Login()" type="button" value="login" name="button">  
We can see that it calls a 'Login()' function when clicked.
As we don't have anything else after this on the page, we can assume that the authentication happens in the 'Login()' function.

Our goal now is to find it, and see what it contains.
It seems like a custom Javascript function. To get custom functions in Javascript, you need to define them in a javascript file (.js) and link it to your HTML/Php page.
The linking part is done in the head of the page. Let's have a look at it.
I go back to Google Chrome and expand the head tag. This is what I find:

 <script type="text/javascript" src="login.js"></script>  
This code links a javascript file called 'login.js' to this page. Seems promising. We now need to see what is in this file.
As there is no path in front of the file name, we can assume that the script 'login.js' is probably at the same location on the server as the HTML page.
You now have to find a way to display the 'login.js' file in your web browser, and see what it says. The solution is really close.

Let me know if you have trouble finishing this challenge.
See you soon for another challenge

Tuesday, August 30, 2016

Cryptanalysis / Encoding - ASCII

Link to the challenge: Encoding - ASCII

Ok, so this challenge is really simple, so we will use it as an excuse to learn a bit more about ASCII. The challenge consists of decoding this string:

 4C6520666C6167206465206365206368616C6C656E6765206573743A203261633337363438316165353436636436383964356239313237356433323465  
What is ASCII ?
ASCII is a text encoding scheme that allow to display text.
Each character is encoded on 1 byte, and this is a standard, so in any computer you will use, the same character will correspond to the same value.
Here is the ASCII table, matching each character to it's value, coded on different bases (decimal, hexadecimal, octal):
You can see, for example, that the character 'A' is represented by the value 65 in decimal, but also by the value 41 in hexadecimal, and 101 in octal.
We can easily verify that all of these representations are equivalent, by converting them to the decimal base:
  (hexadecimal: 4*16 + 1*1 = 65)
  (octal: 1*64 + 0*8 + 1*1 = 65)
In order to decode an ASCII character based on it's value, you need to know which base has been used to encode it (decimal, hexadecimal, octal).
In 70% of the time, characters are encoded in hexadecimal, 29.9% in decimal, and 0.1% in octal (I never met such encoding yet).
We noticed that in our string we have to decode, some characters are letters, so if we assume this is an encoded ASCII string (as the title of the challenge suggests it), it cannot be decimal or octal, because both of this bases only use digits. The only base left, is hexadecimal, which uses digits and letters, up to F.
You now need to find a tool that can convert hexadecimal data to ascii.
Tips: Google is your friend, as well as Wikipedia :)

Bonus: If you want to do some exercise, you can try to create a small program to decode it.
Here are an idea of how to do it:

 1) Put the encoded string in a variable (by input or hard coded)  
 2) Loop until the end of the string  
 3) Read the characters of the string 2 by 2  
 4) Convert the group of 2 characters to a number (look at strtol() in C, int() in python, etc...)  
 5) Pass your number to a function that can convert your value to ASCII (convert to char in C, chr() in python)  
 6) Append the result to a string you will have initialized empty at the beginning  
 7) When the loop is done, print your string where you append all ASCII characters 
 8) You should now have decoded your ASCII string, congratz. 

Monday, August 29, 2016

Network / Ethernet Frame

Link to the challenge: Ethernet Frame

So in this challenge, you will need to find the confidential data hidden in the frame:

 00 05 73 a0 00 00 e0 69 95 d8 5a 13 86 dd 60 00  
 00 00 00 9b 06 40 26 07 53 00 00 60 2a bc 00 00  
 00 00 ba de c0 de 20 01 41 d0 00 02 42 33 00 00  
 00 00 00 00 00 04 96 74 00 50 bc ea 7d b8 00 c1  
 d7 03 80 18 00 e1 cf a0 00 00 01 01 08 0a 09 3e  
 69 b9 17 a1 7e d3 47 45 54 20 2f 20 48 54 54 50  
 2f 31 2e 31 0d 0a 41 75 74 68 6f 72 69 7a 61 74  
 69 6f 6e 3a 20 42 61 73 69 63 20 59 32 39 75 5a  
 6d 6b 36 5a 47 56 75 64 47 6c 68 62 41 3d 3d 0d  
 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 73  
 61 6e 65 42 72 6f 77 73 65 72 0d 0a 48 6f 73 74  
 3a 20 77 77 77 2e 6d 79 69 70 76 36 2e 6f 72 67  
 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d  
 0a  
In this challenge again, we can use Wireshark. However, no .pcap file is provided. But Wireshark is also able to import hex dump and read them as frames. So let's do it. You just copy the bytes of the frame, and paste them in a text file.
Then you can go to Wireshark, File -> Import from hex dump. Then you select the file you just created, select offset: hexadecimal, and import...
And it doesn't work. Hummm. Apparently we don't have the right format. Let's check it out what is the Wireshark Hex Dump format.
We quickly find this: Wireshark Hex Dump Format
We notice that we need to specify the offset from the beginning of the file to the beginning of the new line. If you remember, when we tried to import our file before, we selected 'offset: hexadecimal'. So this probably means that the offset we have to write needs to be written as hexadecimal values. Let's try:
 000000 00 05 73 a0 00 00 e0 69 95 d8 5a 13 86 dd 60 00  
 000010 00 00 00 9b 06 40 26 07 53 00 00 60 2a bc 00 00  
 000020 00 00 ba de c0 de 20 01 41 d0 00 02 42 33 00 00  
 000030 00 00 00 00 00 04 96 74 00 50 bc ea 7d b8 00 c1  
 000040 d7 03 80 18 00 e1 cf a0 00 00 01 01 08 0a 09 3e  
 000050 69 b9 17 a1 7e d3 47 45 54 20 2f 20 48 54 54 50  
 000060 2f 31 2e 31 0d 0a 41 75 74 68 6f 72 69 7a 61 74  
 000070 69 6f 6e 3a 20 42 61 73 69 63 20 59 32 39 75 5a  
 000080 6d 6b 36 5a 47 56 75 64 47 6c 68 62 41 3d 3d 0d  
 000090 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 73  
 000100 61 6e 65 42 72 6f 77 73 65 72 0d 0a 48 6f 73 74  
 000110 3a 20 77 77 77 2e 6d 79 69 70 76 36 2e 6f 72 67  
 000120 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d  
 000130 0a  
We have 16 bytes per line and 16 in hexadecimal is 10. So each new line, we increment our offset by 16 bytes, so by 0x10.
Let's save our file and try to import it with the same method as we tried at the beginning.
This time, it works, and we can see we have 1 frame.
 0000  00 05 73 a0 00 00 e0 69 95 d8 5a 13 86 dd 60 00 ..s....i..Z...`.  
 0010  00 00 00 9b 06 40 26 07 53 00 00 60 2a bc 00 00 .....@&.S..`*...  
 0020  00 00 ba de c0 de 20 01 41 d0 00 02 42 33 00 00 ...... .A...B3..  
 0030  00 00 00 00 00 04 96 74 00 50 bc ea 7d b8 00 c1 .......t.P..}...  
 0040  d7 03 80 18 00 e1 cf a0 00 00 01 01 08 0a 09 3e ...............>  
 0050  69 b9 17 a1 7e d3 47 45 54 20 2f 20 48 54 54 50 i...~.GET / HTTP  
 0060  2f 31 2e 31 0d 0a 41 75 74 68 6f 72 69 7a 61 74 /1.1..Authorizat  
 0070  69 6f 6e 3a 20 42 61 73 69 63 20 59 32 39 75 5a ion: Basic Y29uZ  
 0080  6d 6b 36 5a 47 56 75 64 47 6c 68 62 41 3d 3d 0d mk6ZGVudGlhbA==.  
 0090  0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 49 6e 73 .User-Agent: Ins  
We can see some data at the end of frame. Let's look at them.
 Authorization: Basic Y29uZmk6ZGVudGlhbA==  
This seems to me like an authentication mechanism. After googling it, we find this page: HTTP Auth
It looks exactly like we have, except for the data after Basic. This could be the credentials. We noticed in the previous link, that they mentionned the 'Basic' auth do not encrypt the credentials, but encoded them using a base64. If we want to get the flag, we need to find how to decode the base64, but this will be your job now.
Tips: You can find useful tools online.

I hope this helped you understand a bit how http authentication works, and how unsecure it can be.
Let me know if you have any question or comment about this challenge. Thank you.

Sunday, August 28, 2016

Network / Telnet Authentication

Link to the challenge: Telnet Authentication

Here again, we will need Wireshark to open our ch2.pcap. If you didn't installed it already, you can check this post about the FTP Authentication challenge.
Here we will see a really useful Wireshark feature.
Once you opened you file with Wireshark, just go on the first packet, right-click on it and choose 'Follow' -> 'TCP Stream'. You will see a window opening, and showing you all the data exchanges between the client and the server.
The parts highlighted in blue are the data sent by the server to the client, and the parts highlighted in red are the data sent from the client to the server.
I don't put a screenshot of it, otherwise, I would give you the answer, but just by reading the data you should be able to find the flag.

Bonus: You might notice that after the authentication, all characters are doubled. You can see that one is highlighted blue, while the other is highlighted red. This is probably a control mechanism, where the server repeat the received character, so the client can verify that the data have not been corrupted while transmitted.

This challenge was fairly easy, but it was the opportunity for me to show you the 'Follow TCP Stream' option.

See you soon for another challenge.

Network / FTP Authentication

Link to the challenge: FTP Authentication

When starting the challenge, a file is downloaded (ch1.pcap). This file is a capture file of the wireshark software, so in order to open it, you will need to download it. The software can be find here. This tool is a network analyzer. It captures all communication packets going through the selected interface and display their information. Wireshark will be required to almost all network challenges.
Once you installed it, you can open ch1.pcap with it.

I will quickly go over it's interface.

Section 1: This is the list of all packets of the capture. You can see some information like the ID of the packets, the Source IP, the Destination IP, the Protocol, the Length of the packet, as well as some information about it's content.
Section 2: This contains some more detailed information about the selected packet, from the section 1. This section contain several dropdown menus you can open to see the different layers of the packet (Physical, IP, TCP, etc...).
Section 3: This section contains raw data of the selected field from section 2, displayed in hexadecimal and ascii.

Let's now look at our ch1.pcap. We can see several packets have been captured. Let's have a look at them.

 1     0.000000     10.20.144.150     10.20.144.151     TCP     74     35974 → 21 [SYN] Seq=0 Win=32648 Len=0 MSS=1380 WS=1 TSval=1657560000 TSecr=0  
 2     0.000320     10.20.144.151     10.20.144.150     TCP     78     21 → 35974 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1356 WS=1 TSval=1657390000 TSecr=1657560000  
 3     0.000570     10.20.144.150     10.20.144.151     TCP     66     35974 → 21 [ACK] Seq=1 Ack=1 Win=32648 Len=0 TSval=1657560000 TSecr=1657390000  
These challenges will require you to have some prior knowledge about the TCP/IP type of packets.
You really need to understand this part: TCP Segment Structure.
Then you will recognize in the first 3 packets of our file, a typical TCP/IP handshake.
These packets are not really important here. Let's move to the next ones, shall we ?

 4     0.060630     10.20.144.151     10.20.144.150     FTP     106     Response: 220-QTCP at fran.csg.stercomm.com.  
 6     0.275760     10.20.144.151     10.20.144.150     FTP     126     Response: 220 Connection will close if idle more than 5 minutes.  
We can see that packets 4 and 6 are using the FTP protocol. As the challenge is about FTP authentication, let's have a closer look at them.
In packet 4, if we open the File Transfer Protocol (FTP) dropdown menu, we can see:
 File Transfer Protocol (FTP)  
   220-QTCP at fran.csg.stercomm.com.\r\n  
     Response code: Service ready for new user (220)  
     Response arg: QTCP at fran.csg.stercomm.com.  
Apparently, the response code says the service is ready for a new user. Interesting. Let's look at packet 6:
 File Transfer Protocol (FTP)  
   220 Connection will close if idle more than 5 minutes.\r\n  
     Response code: Service ready for new user (220)  
     Response arg: Connection will close if idle more than 5 minutes.  
Here we see that the server told us that the connection will close after 5min if idle. Ok, nothing really interesting so far. Let's keep looking at next FTP packets.

The packet 8 is really interesting. Here is it's FTP content:

 File Transfer Protocol (FTP)  
   USER cdts3500\r\n  
     Request command: USER  
     Request arg: cdts3500  
We can see that the command sent is USER followed by what seems to be a username. If we look at the FTP Authentication procotol, we see that to authenticate, the client needs to send his username with USER, and his password with PASS.
You got his username, so now you need to find his password.
But I will let you work on that bit. Now you know how to use Wireshark, and you know what you are looking for. You should be able to find it really quickly.

As always, don't hesitate to comment or asking for help if you can't make it.
See you soon for another challenge.

App-Script / ELF32 - System 1

Link to the challenge: ELF32 - System 1

Okay, let's start with it.
The challenge says "Try to find your path young padawan". Hum, it probably means it will be related to path. The documentation provided ("Dangers of SUID Shell Scripts"), suggests that we will probably need to use the access of the program to execute some commands. Let's open the WebSSH terminal. We find a ./ch11 program. Let's check it's permissions:

  ls -al   
  total 24   
  dr-xr-x--- 2 app-script-ch11-cracked app-script-ch11   4096 Aug 11 2015 .   
  drwxr-xr-x 14 root     root     4096 Nov 17 2015 ..   
  -r--r----- 1 app-script-ch11-cracked app-script-ch11-cracked 14 Feb 8 2012 .passwd   
  -r-sr-x--- 1 app-script-ch11-cracked app-script-ch11   7160 Aug 11 2015 ch11   
  -r--r----- 1 app-script-ch11   app-script-ch11   153 Aug 11 2015 ch11.c   

The permission of ./ch11 seems to be -r-sr-x--- and is owned by app-script-ch11-cracked. Let's check what it means.
This website explains that the 's' in the permissions means that the program will run with the permissions of the owner, not the user running it.
So it seems pretty good for us. This program is owned by app-script-ch11-cracked, which we assume have permission to read the .passwd that contains our flag, and it runs with the SUID flag. Perfect.

Let's have a look at the code in ch11.c now:

 #include <stdlib.h>  
 #include <stdio.h>  
 /* gcc -m32 -o ch11 ch11.c */  
 int main(void)  
 {  
     system("ls /challenge/app-script/ch11/.passwd");  
     return 0;  
 }  
The program is using a system call to list the .passwd file we're interested in.
What we would like to have is cat instead of ls, so we could display the file.
So let's do it. What we need to do first, is to use symbolic links to create a version of ls that redirect to a cat command.
A little ln --help help us to figure it out how to use it.

The command ln -s /bin/cat /tmp/ls will then create a symbolic link of /bin/cat to /tmp/ls.
So now, if we do /tmp/ls ./ch11.c it should display our file. Good. But our program doesn't call /tmp/ls, it calls ls. So how does it works ?
When the program will call ls, it will look at his environment variables to look for this command. Environment variables are defined for the whole system and are persistent after a reboot.
This variable we're interested in is called PATH. It contains multiple paths of directories that contain binaries (e.g. /bin, /sbin, etc...). This variable is the reason that we don't need to type the full path of each command every time (like /bin/ls, /bin/cat) but just the command, because the terminal will automatically look for them the in the directories listed in the PATH variable.
What we want to do, is put our /tmp path in it, and before all the other paths, so when the program will look for the ls command, it will check into our /tmp directory first and find an ls file. It will not check if this is a symbolic link or not, it will just execute it. So our command will virtually become /tmp/ls /challenge/app-script/ch11/.passwd, which is really /bin/cat /challenge/app-script/ch11/.passwd thanks to our symbolic link. And as you probably remember, this command will be executed with the permission of app-script-ch11-cracked, because it has been started from ch11 which has this permission.

So in order to add our /tmp to the PATH, we will need the command export. Here is a link that can help you. But remember, our path should be the FIRST in the PATH variable, otherwise some other directories might contains the ls command, and the one you created won't be used.
I let you look around to figure it out how to do it, but it's pretty simple. You should now have all the elements you need to complete this challenge.

Feel free to let me some comments or message if you still have some problems, or any suggestion or criticism.

Thank you, and see you soon for another challenge.

What is this ?

This blog is mainly gonna be about the hacking challenges at Root-me.org. I will describe my search and I got the answer (if I got it). This is gonna be a log of my thoughts (hence the title of this blog). I'm not sure yet at this point if I will disclose answers to the challenges, which could be considered as spoilers and incite some kind of laziness. I will probably guide you through most of the process, but let you figure it out the answers by yourself. The purpose is not to give you easy answers, but to give you an insight of my reasoning, as well as documents that helped me crack the challenge.

As for me, I've been a C++ developer for a few years now, but I also have some experience in some other domains (network, scripting, etc...). However, I do not consider myself an expert in these challenges, but I think I developed some analytical skills that you might find useful.

So, less talking, more doing. Let's start.