Thu, Jan 07, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Our next realistic mission is to hack a hacked website and return it to the original owner. We have also be given a bonus if we are able to determine the name of the original hacker.
Going to the website, we can see that this page is definitely not the peace poetry website that is expected, but is a propaganda website for war. At the bottom of the page we also see the culprits of the hack have left a signature: “This page h4x0r3d by the Insane Krypt Skiddies. Shoutz to Ultra Death Laser, Master Of Disaster, and Doctor Doom.”.
Inspecting the page instantly shows us a comment left by the ‘Insane Krypt Skiddies’ that notes that the original website still exists, but the index.html file has been renamed to oldindex.html and that the current webpage that we are viewing is a new page created by the hackers. Otherwise, there is nothing of importance on this webpage.
Firstly, I want to go to the original website, and I will do so by going to /oldindex.html, to see whether I can figure out what the original attack vector was that the hackers used, and potentially use it against them. Looking around the page, both visually and through inspecting, I note that this page doesn’t have anything odd going on that could lead to a vulnerability. Although, this page does link to two other pages, one to read poetry, and another to submit poetry.
Going to the ‘readpoems.php’ webpage, I can see that there are three poems which are links to this webpage with a query string of the name of the poem. Meaning that his webpage we are currently on is dynamic that serves a poem if a valid poem name is given. Going through each poem I can see the following information:
Going to the ‘submitpoems.php’ webpage, I can see that his webpage simply hosts a form for poem submission. The form asks for the name of the poem, and the poem itself. The request is done through a post request to submitpoems2.php. I will submit a fake test poem in order to record the request and response of the form. My test poem is sent to this aformentioned script with the submitted information as form data. This has returned a webpage that says my poem was successfully added. Going back to this form, there is a note that says that poems will be stored online immediately but will not be listed. So, since this seems like the only point of access to direct server files, the attcker may have simply overwritten the index file with their own file.
Most likely, pages are uploaded to some common folder and not directly to the root folder. So if I were to try and overwrite the index file, I would need name the poem ../index.html. The contents of this poem would be the contents of oldindex.html. Click send and voila! We have completed this mission.