For those of you who care to learn more about using Google as a tool, rather than just a search engine for finding your favorite celebrities gossip, I decided to post this link. It is a Google hacking database, containing all the sweet little snippets you can put into it to gather anything from passwords, to company secret documents. But, as with most of my blogs, I would advise you to not do anything I tell you about outside your own network. Here's the link: http://johnny.ihackstuff.com/ghdb.php
May the force be with you my young padawans.
Thursday, January 24, 2008
Non-techish Hacks: zwei (german for 2 o.O)
Another great non-technical hack that I found was in hotel rooms. I won't delve into great detail on how to do this, but basically, there is a way to break their security within about two seconds(depending on the speed you can remove a coax :P) on their television channels. After doing such, one could watch any channel they could if they had paid for it, as well, as in larger hotels, when a customer views their bill, it unlocks a specific channel and sets it for their information, now if we pre-hacked our room, we could change channels and hit someone's channel that was unlocked and see their billing info. Now, with that in mind, say they have that new spiffy internet through t.v.? Now we can see what they are doing on the internet, may it be viewing naughty websites, or viewing their bank website and logging in. This is obviously a, 'Do not try this at home, kids' subject. But I found it great to see some not so technical things such as this. I hope to find some more articles similar to this.
Non-techish Hacks
I was bored and randomly searching for some interesting info, and I came across an article on no-tech hacking. It was a large article on shoulder surfing and dumpster diving. After reading this, I realized just how too easy it is to let someone get information from you, without even knowing it. It gave me a new outlook on social engineering. In the article, the author listed a few things I never even thought about. For instance, looking at someone's laptop at a internet cafe, you may notice, a bunch of stickers. This will explain a lot about a person and their desktop. For example, if you see 10 cat stickers, chances are they may have a password that has to do with a cat, be it their own cats name, or name of breed of cat, etc. Looking at their desktop is an easy grab of information. Most novice users don't change backgrounds for example, that right there will show the current operating system. You can also check their taskbar for running applications which will show you possible targets. There are tons of goodies sitting on their desktop most of the time, for ease of access. So all in all I would say this was a great article, and I'm glad I stumbled upon it.
Wednesday, January 9, 2008
JS Final
Okay, this one, just as the others was easy, but tricky if you don't think about it for a bit. Looking at the script, it is quite jumbled. There seems to be a bunch of functions. Now, we look for the one that's actually used. Now after some searching we see that after post, it goes to a separate script, so we now look at that. It has 2 different variables, unlike the one before and it checks to see if _your_ password is equal to var1+" "+var2 which means 'var1[spacebar]var2'. Ok, let's go back and input that password. Voila, simple, and finished. :D
JS5!
Okay, this one was a bit different. We used a new function called unescape. The objective was to unescape a string which was the password(the unescaped version that is). So this was quite simple, of course to find that we needed to use the unescape, we would view the source, which showed us variable=unescape('%21%43%blah%blah') and we want our password to equal whatever variable is. So, we look for a text unescape utility site, and input our string we want unescaped. Voila, simple as most of the others, we now have our password, and have completed the mission. WWWEEEEE!!!!
JS4!
Okay, after about 20 minutes of trying this one... I finally realized the answer and wanted to bash myself in the head with the keyboard :( Basically, the challenge is, make your password equal a variable. And the variable is set in the page. You look in the code that they placed and you see "+blahblah+" == "+blah+" Now, you would think that to make your password equal blahblah it would be blah, right? Unfortunately no :/ The +'s around them mean they aren't used. So, that means we have to find the blah == somewhere... okay, let's do a search within the source. There we go, we found blahblah == passwordhere. So, after the headache, it was right there, just not out in plain site :/ So, the lesson learned here? Sometimes things aren't always as they seem, and try to look at something as a whole, not just the piece you _think_ you need.
JS3!
On to JSM3! Okay, so this took a bit of math, and a bit of js understanding. So, it was a bit tricky, since at first glance the math seemed easy. The math looked like this: ((5+(6*7))%8)*2. So, to me, thinking math-wise I would assume it would be 6*7=42 +5=47 /8= 5.875*2=11.75 Now, math-wise, looks good. Only problem is, in js the % symbol doesn't mean division. Well, it ~ does, but it doesn't, it means divide by this number, and the remainder is the answer. So let's go back. 6*7=42 +5=47 %8=(47/8=5.875 which would leave remainder of 7) so %8=7 *2=14. So now, the js checks to see if the password you typed is as long as this value, which is 14, so we just type out a 14 character password and BAM We win! :D
JS2
Okay, reposting JS2 due to it not saving for some reason... Anyway, basically for the second mission, all you do is disable javascript and it's completed. So, yeah... I was hoping it would be a bit more difficult? Guess not, but what can you do :/
Javascript Missions
I decided to try my hand at JS. So I selected the first JS mission. It was a bit TOO simple. The scenario was, that a girl, VERY new to JS wrote a script, that checks a password, and if you type the correct password, you win. If not you lose.
Or for you geeks out there,
if pwiscorrect = true then
win
else
lose
endif
And moving on :P Basically, view source of the page, find her script, and within her script, she has
if (variable == "string")
{
win
and basically, you want to win right? Of course you do, so you input whatever the string is to make it equal, and BAM we're done. Too easy drill sergeant!
Or for you geeks out there,
if pwiscorrect = true then
win
else
lose
endif
And moving on :P Basically, view source of the page, find her script, and within her script, she has
if (variable == "string")
{
win
and basically, you want to win right? Of course you do, so you input whatever the string is to make it equal, and BAM we're done. Too easy drill sergeant!
Java, SQL, PHP Oh my!!
In the second mission, the objective was to get the source code of a site, using their script, which will post the file contents of whatever you input into the box. Okay, well, so if we put a filename in the box, it would only show something that is in current working directory. In the sample, it wanted something that was _not_ in the current directory. Here is the function:
$blarghonkhonk = file_get_contents($_POST['filename'].'.php');
(again variables and such changed as to not 'steal' from the source site)
Ok. So, as I pointed out earlier, the function will only grab a file _in_ the current directory that the script was located in. So, the file we want, is 2 levels above it. Here's where knowing how to navigate through a filesystem comes in handy :P So, two levels that would be ../../ Okay, and we wanted the index.php so the answer would be:
../../index
Voila Completed! In about 2 seconds (or however long it takes to read the objective)
The first time I read it, it sounded a lot more complicated than it actually was. I was thinking you would have to use RFI or Remote File Inclusion. Which you would have to input thesitenamethatshalnotbenamed.x/index.php So, there's some extra reading for those who care to learn a bit about RFI's :D
$blarghonkhonk = file_get_contents($_POST['filename'].'.php');
(again variables and such changed as to not 'steal' from the source site)
Ok. So, as I pointed out earlier, the function will only grab a file _in_ the current directory that the script was located in. So, the file we want, is 2 levels above it. Here's where knowing how to navigate through a filesystem comes in handy :P So, two levels that would be ../../ Okay, and we wanted the index.php so the answer would be:
../../index
Voila Completed! In about 2 seconds (or however long it takes to read the objective)
The first time I read it, it sounded a lot more complicated than it actually was. I was thinking you would have to use RFI or Remote File Inclusion. Which you would have to input thesitenamethatshalnotbenamed.x/index.php So, there's some extra reading for those who care to learn a bit about RFI's :D
Update to HTS
I couldn't do a few missions here in class due to it being on campus and the rules that apply there. So I decided to stop the Realistic simulations and move to the extended ones. The first one was rather easy. It was a simple buffer overflow. The achievement was to crash the program. They give you the script of a C program, and an input box to put what you would use to get the program to crash. Easy huh? Here's the given script:
void tuxownsyou(char *str) { char noob[60]; strcpy(noob, str); }
(I changed variables and numbers so not to violate their policy on copying in part/whole of their site)
Okay, in case some of you don't know how to complete the buffer over flow, it's quite simple. If you look at the array of noob[60], it's saying, put aside 60 bits to hold the information passed to the array. Okay, now the overflow. There's no check to see if the string entered is larger than 60, so we enter a 61 character string, and voila, program crashed, and the extended characters passed to live ram. (Correct me if I'm wrong?) Was fun, but WWAAAYYYY too simple. Next stop, mission 2!
Also on a side note, this website grades your progress. I believe you start off as a "noob" then a "script kiddie". <--- Just hit apprentice. And <--- = noob. So if I can do it, _you_ _can_ _too_!
void tuxownsyou(char *str) { char noob[60]; strcpy(noob, str); }
(I changed variables and numbers so not to violate their policy on copying in part/whole of their site)
Okay, in case some of you don't know how to complete the buffer over flow, it's quite simple. If you look at the array of noob[60], it's saying, put aside 60 bits to hold the information passed to the array. Okay, now the overflow. There's no check to see if the string entered is larger than 60, so we enter a 61 character string, and voila, program crashed, and the extended characters passed to live ram. (Correct me if I'm wrong?) Was fun, but WWAAAYYYY too simple. Next stop, mission 2!
Also on a side note, this website grades your progress. I believe you start off as a "noob" then a "script kiddie". <--- Just hit apprentice. And <--- = noob. So if I can do it, _you_ _can_ _too_!
Monday, January 7, 2008
PHP Injection
Now, after finishing the 10 basic missions. I learned to use and abuse SSI's as well as do some javascript injections. Now onto the Realistic Missions. On the first mission the objective was to make a band go to the top of their ranking list. You are able to vote from 1-5 for the band. The top band had an avg of 23 votes. So to bring our objective band to the top of the list. I used Firebug, a firefox extension, and changed the max rank from 1-5 to 1-1000 and submitted my vote with my 1000 option. Doing this threw our band above and beyond all the other bands. And hurray!! We win! There is another way to do this using php injection. But as with most things in IT, why do something the hard way, when there is a tool that will make it easier... IE Why do something a thousand times, when you can make a script to do it for you? I would still like to learn about PHP Injections, but I couldn't seem to get it to work correctly. Perhaps I will try it out some more in the future.
Cryptography
Just finished mission 6, this is a quote for the mission, "An encryption system has been set up, which uses an unknown algorithm to change the text given. Requirements: Persistence, some general cryptography knowledge.". Basically I took their encrypted password of: 78585ghj. And on their site there was an encrypting script that will encrypt whatever you put in for text, so I obviously started with a-z1-0 to see how the letters lined up. Then I realized, whatever the first input character was, stays the same. So I also noticed that the letters incremented by one each character. So I thought, hmm first one is the same, next is +1 in the alphabet/number. So, logically
"7 8 5 8 5 g h j" would be:
- - - - - - - -
0 1 2 3 4 5 6 7
= = = = = = = =
7 7 3 5 1 b b c
"7 8 5 8 5 g h j" would be:
- - - - - - - -
0 1 2 3 4 5 6 7
= = = = = = = =
7 7 3 5 1 b b c
Javascript Injection!!!
Well, I spent the last 15 minutes attempting to finish mission 5. The point of the mission, was that an administrator, setup a script to email himself a password for the site, in the event he forgot it. It was to be sent to his email: webmaster@hulla-balloo.com. Using a Javascript Injection I was able to change the email to be mailed the password to my own, thusly giving me the password when I hit the 'Send password to Sam'. Poor, poor, Sam. Never knew what hit him :/ So this was a fun one. I learned something new and somewhat useful. I also learned, never put a script to email yourself a password in the event you're too lame to remember it ;)
Hackthissite
I decided to take a smack at hackthissite and begin the hack bootcamp. After about 5 minutes I've finished the first 4 missions. The first 3 were extremely simple. But I am sure they will become more difficult as I go on. So far I've learned some people just don't think before they write a website ;)
Friday, January 4, 2008
The Beginning
Got a textbook from AC. I plan on reading some of it today, and slapping some information on here of what I learned.
Subscribe to:
Posts (Atom)
