Here we need to manually generate a serial key, so first hit the search button and we get:
5413-09649-4236
7561-15929-8368
And now we need to find out what these have in common. It’s easy to see that the middle segment is the sum of the first and last. So lets try 5000-10000-5000.
Nope not valid, lets study more. First segment is odd, middle is odd and last is even in both serials. Then lets try 5001-10001-5000…
There you go, easy!
We see a keypad and when we type 3 numbers we get sent to ?page=levels&level=14&pw=156 this means there are a combination from 0-999, lets make a bruteforce!
javascript:document.body.innerHTML += "<iframe id='if' height='400' width='400'></iframe>"; var i=0; setInterval(function(){var frame = document.getElementById('if'); frame.contentWindow.document.location = 'http://hackordie.echofish.org?page=levels&level=14&pw='+(i++)},100);void(0);
Write it in the address bar in your browser and you will succeed :)
We see a php error which tells us that the script is trying to include “username.phpp”, which is a typo. So now we know that username.php is important. We aslo see a “remember me” checkbox which tells us that this levels are using cookies.
Trying to go directly to the file worked: http://hackordie.echofish.org/levels/13/
Got nothing from username.php at first, but when the source was viewed I discovered another typo which let me see the source.
<PHP $username = "admin2"; ?>
So now we got the username, lets find the password. As I said before “remember me” functions use cookies, so lets check the cookies.
Write javascript:alert(document.cookie); in the address bar.
This is it:
Hackordie_remember_me = 865b02aab501e77c8ca524c9bc1cf5c4
This is clearly a md5 hash and we can find the value of it by bruteforcing it. The easiest way is to use an online bruteforce tool like http://www.cmd5.org/default.aspx
There you go!
First we need to bypass that User-Agent check, the easiest way to do this is in Firefox. Write about:config in the address bar. Then search for “useragent” and change the value of “general.useragent.extra.firefox” to “Hack or Die”. Now try to enter level 12 again, and after you are done you can change it back to default by clicking “reset” :)
Okey, we get sent to the website of a hate group and are suppose to crack their site. First thing we check is the admin link, but we need username and password. The admin folder are protected with htaccess, so we need to get the info from the htpasswd file which htaccess uses.
So how are we suppose to read that file? Well their site uses page including, which we may exploit if the script are not secured enough.
Lets try to include the .htaccess file through the page include script:
http://hackordie.echofish.org/levels/12/hate/index.php?page=admin/.htpasswd
Didn’t work, but no need to give up yet. The script can add a string at the end like this:
include($_GET['page'] . '.php');
We can kill that by adding “?” at the end which will tell php that whats behind the question mark are GET values.
http://hackordie.echofish.org/levels/12/hate/index.php?page=admin/.htpasswd?
and the file got included…
admin:$apr1$iOOBL...$JfAc7xtWiPh0Mlj.dNS8Y.
Now we need to crack the password. Download John the Ripper and feed the htpasswd file to it.
Time for flash!
The source tells us the location of the flash file:
<embed src="levels/11/hackme2.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="145" height="75"></embed>
view-source:http://hackordie.echofish.org/levels/11/hackme2.swf gave us jibberish. So we have to decomile it.
Download the flash file (save page as) and then download Flare (google it)
Flare is multiplatform so you can download it for Win, Mac or Linux and it’s really easy to use, no worries.
When you have decompiled it you will get a file named hackme2.flr with a lot of code, but the only code we are interested in is this:
frame 1 {
function validate() {
var v1 = _root;
if (v1.password == (pass.reverse()).join('')) {
getURL('?page=level22&pw=' + v1.password, '');
} else {
v1.gotoAndPlay(2);
}
}
Stage.scaleMode = 'noScale';
var pass = ['y', 's', 'a', 'e', 's', 'a', 't', 'o', 'n'];
Key.addListener({'onKeyDown': function () {
if (Key.getCode() == 13) {
validate();
}
}});
stop();
}
and we can narrow it down even more…
var pass = ['y', 's', 'a', 'e', 's', 'a', 't', 'o', 'n'];
pass.reverse()).join('')
You should see what the password is by now, but to explain whats going on here:
The object “pass” is an array, join(”) implodes the array into a string and glues it with nothing which gives us “ysaesaton” and reverse() just… yes, reverses it: notaseasy