HaxTor - go through the "warm-up" and get a free shell
Hello!
Today I want to talk to you about a resource like HaxTor . This site was made specifically to be hacked, roughly speaking :) It contains 5 warm-up levels that you can go through and get yourself a free 2 GB shell (at least it was during those times when I received it, now not sure :)) Then, after warming up, you can continue to improve and test your skills in different areas of IT. Here is a list of tasks that are given after warming up:
Now we will start work on getting the shell;)
1st task
Here you are asked to enter a password, which, according to the promises, is in the source code. Let's look at the source code of the page. Analyzed the HTML code of the form, we will find out what function is called when you click on the GO button:
We see that the function is called by the name "a". Let's see our source code in the hope of seeing this feature. There, we find it at the very end of the source code:
We judge by the code and find out that the password is stored in the thepw line. When concatenating strings, we get this password: warmup1lolcopter . We drive it into the field and click Go. Go to the next level.
')
2nd task
Now this episode is not working, so you can just drive in fail and press Go :)
3rd task
Here you need to select from the list the Bacon item that is not in this list. How to choose it? That is very simple. Go to the page source and see the lines:
From the source we see that the name of the variable that is passed to the server is "chosen". It is in this variable that the selected item in the list is transmitted. Let's try passing the bacon through global variables. We make the request:? Chosen = Bacon. Add it to our page. We receive here such request: hax.tor.hu/warmup3/?chosen=Bacon . Press Enter and go to the next level :)
4th task
Here we are offered to go to the page with a password, but when we switch, for some reason, this one crashes: This browser is banned: Opera / 9.80 (X11; Linux i686; U; ru) Presto / 2.9.168 Version / 11.50 . What to do in this case? In this case, too, everything is very simple. It can be solved in two ways: the first is through telnet, and the second through the local web server and PHP. I chose the second method, since I am not particularly familiar with GET and HTTP requests. If you have Linux and NetBeans installed, Apache is configured on a local server and PHP is configured, then this will not be a problem;) Go to NetBeans (or any other editor, these are your tastes and preferences) and write the following code:
We drive in the address bar localhost and see the text: The password is: spaceship . We go in hakstor and drive in spaceships. Go to the next level :)
The 5th task and the last to get the shell :)
Here we have a password hash, and we need to decrypt it. I immediately stupidly threw it at John Ripper, but did not receive anything in return. I began to analyze this hash and came to the conclusion that every even position of this hash does not change when the number of characters is observed and changes as they change. I began to substitute different characters, each time increasing the password length by one, and finally I found these positions coinciding with a password length of 5 characters:
Original hash: 83 230 69 128 66 214 89 24 92 204
My password hash is 12345: 6 230 5 128 4 214 3 24 2 204
So each odd position means the character code itself. Began to study tables ASCII, UTF and other tables. I went through all the matches with the table and nothing happened. Then I noticed that if you go alphabetically, then the code itself will increase by one or fall off. Then I started to do manually "stupid" password selection, getting closer and closer to the password itself :) As a result, I got the word " drunk ". His hash fully responded to the original hash and missed me on the registration page :)
After registration, you get access data to your account, which allows you to solve further puzzles and manage your free shell :)
Today I want to talk to you about a resource like HaxTor . This site was made specifically to be hacked, roughly speaking :) It contains 5 warm-up levels that you can go through and get yourself a free 2 GB shell (at least it was during those times when I received it, now not sure :)) Then, after warming up, you can continue to improve and test your skills in different areas of IT. Here is a list of tasks that are given after warming up:
Level 1. Make a nasa.gov URL display a text of my choice
Level 2. debfKNH1AvtBo deGH9Aq./kiSY denjFRfA8kzL2
Level 3. Recognize
Level 4. IP address is 72.14.221.104. What contains 'art' that points to it?
Level 5. Password is the owl's name
Level 6. SQL ninjitsu
Level 7. snifflog.txt - ngrep format
Level 8. Password is on a picture: not available from anywhere
Level 9. Elementary Maths
Level 10. A poem
Level 11. As simple as hashing a string
Level 12. Ultra Turing
Level 13. PHP with source - needs exploiting and / or ootb thinking
Level 14. Recognize # 2
Level 15. download.com's uptime
Level 16. root: hsmfs; g@10.0.0.5
Level 17. Feed me!
Level 18. Find all usernames
Level 19. red + blue + green =?
Level 20. Recognize # 3
Level 21. Backdoor on a suspended domain
Level 22. MS-Word
Level 23. Too easy
Level 24. Defense Intelligence Agency
Level 25. BitNinja
Level 26. PHP filemanager with source - needs more exploit
Level 27. The photo doesn't load
Level 28. telnet: //hax.tor.hu: 1800 - Google Word Game
Level 29. Circumvent PHP filters for XSS
Level 30. Create the given image using a number
Level 31. Find all usernames v2.0
Level 32. Exploit file2image.php
Level 33. Defense Information Systems Agency - 209.22.99.66
Level 34. Password is in the image
Level 35. Follow the pattern
Level 36. Root password needed
Level 37. password = f (200)
Level 38. Name the malware
Level 39. China Science And Technology Network
Level 40. I can has satellite?
Level 41. Poem vs PHP
Level 42. Criminal Minds FBI haxor scene
Level 43. CNN's router
Level 44. Blind SQL injection
Level 45. Frogs n Toads
Level 46. Seizure !!!
Level 47. Backdoor is find it on
Level 48. .htaccess editor vs basic auth
Level 49. Forged DNS from the CIA
Level 50. No info
Now we will start work on getting the shell;)
1st task
Here you are asked to enter a password, which, according to the promises, is in the source code. Let's look at the source code of the page. Analyzed the HTML code of the form, we will find out what function is called when you click on the GO button:
<form method="GET" action="/warmup1/" name="lf" onSubmit="a(); return false;"> Password: <input name="pw" class="input"> <input type="button" class="button" value="Go" onClick="a()"> </form> We see that the function is called by the name "a". Let's see our source code in the hope of seeing this feature. There, we find it at the very end of the source code:
function a(){ thepw = 'warmup1'; thepw = thepw+'lol'; thepw = thepw + 'copter'; if (document.lf.pw.value==thepw) { document.location = '/'+thepw; } else { alert('That is not correct. Please try again.'); } } We judge by the code and find out that the password is stored in the thepw line. When concatenating strings, we get this password: warmup1lolcopter . We drive it into the field and click Go. Go to the next level.
')
2nd task
Now this episode is not working, so you can just drive in fail and press Go :)
3rd task
Here you need to select from the list the Bacon item that is not in this list. How to choose it? That is very simple. Go to the page source and see the lines:
<form method="POST" action="/warmup3/" name="lf"> <input type="hidden" name="crypt_key" value="d719b8adfc6e3841ffc856d52abc5fb9"> <select name="chosen" class="select"> <option value="Apple">Apple</option> <option value="Lemon">Lemon</option> <option value="Mango">Mango</option> <option value="Orange">Orange</option> </select> <input type="submit" class="button" value="Proceed"> </form> From the source we see that the name of the variable that is passed to the server is "chosen". It is in this variable that the selected item in the list is transmitted. Let's try passing the bacon through global variables. We make the request:? Chosen = Bacon. Add it to our page. We receive here such request: hax.tor.hu/warmup3/?chosen=Bacon . Press Enter and go to the next level :)
4th task
Here we are offered to go to the page with a password, but when we switch, for some reason, this one crashes: This browser is banned: Opera / 9.80 (X11; Linux i686; U; ru) Presto / 2.9.168 Version / 11.50 . What to do in this case? In this case, too, everything is very simple. It can be solved in two ways: the first is through telnet, and the second through the local web server and PHP. I chose the second method, since I am not particularly familiar with GET and HTTP requests. If you have Linux and NetBeans installed, Apache is configured on a local server and PHP is configured, then this will not be a problem;) Go to NetBeans (or any other editor, these are your tastes and preferences) and write the following code:
<?php echo file_get_contents('http://hax.tor.hu/pwfor4/index.php'); ?> We drive in the address bar localhost and see the text: The password is: spaceship . We go in hakstor and drive in spaceships. Go to the next level :)
The 5th task and the last to get the shell :)
Here we have a password hash, and we need to decrypt it. I immediately stupidly threw it at John Ripper, but did not receive anything in return. I began to analyze this hash and came to the conclusion that every even position of this hash does not change when the number of characters is observed and changes as they change. I began to substitute different characters, each time increasing the password length by one, and finally I found these positions coinciding with a password length of 5 characters:
Original hash: 83 230 69 128 66 214 89 24 92 204
My password hash is 12345: 6 230 5 128 4 214 3 24 2 204
So each odd position means the character code itself. Began to study tables ASCII, UTF and other tables. I went through all the matches with the table and nothing happened. Then I noticed that if you go alphabetically, then the code itself will increase by one or fall off. Then I started to do manually "stupid" password selection, getting closer and closer to the password itself :) As a result, I got the word " drunk ". His hash fully responded to the original hash and missed me on the registration page :)
After registration, you get access data to your account, which allows you to solve further puzzles and manage your free shell :)
Source: https://habr.com/ru/post/127147/
All Articles