Sat, Jan 09, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Our next realistic mission is to reverse engineering / brute forcing a message digest that is used as a password to a website’s administrative functionalities.
Going to the website, you instantly notice that there is something interesting going on. The entire website is wrapped in a frameset with internal frames being updated relative to where you are within the website. There is a comment found in the header, along with the news webpage, that this was done to hide internal hyperlinks from web scrappers.
There is another interesting thing that you come across when going to the database section in the navigation bar. This takes you to a ‘submit.html’ webpage that asks you to enter a password. Once you click submit, it sends a GET request to sercret/admin.php with the password. If the password was unsuccessful it then informs you that authentication is required.
Since the target of this form is within a folder called ‘secret’, I will assume that an index file does not exist within this ‘secret’ folder. I will access this folder through the browser in hopes that directory listing is turned on; that way I can snoop around to see what else they have in there. Thankfully, this assumption was correct and it does indeed give directory listing information.
The directory listing for the secret folder shows that there exists only two files in here, the admin.php file previously mentioned, as well as, a backup of said script file. This doesn’t give away much information but at least I know that there are two files in here that do exist. Going back up to the parent directory simply redirects us back to the landing page of the website.
My next step is to try and access this backup file to see what happens. When accessing this file through the browser, it sends you a file containing the text: error matching hash f3399ee79d6b908b90fc6de9ecfb9e33. This suggests that the password I need to match should hash to this value. To determine which algorithm this hash value belongs to, I will use a hash analyzer online. Using a couple different ones, just to ensure that the result it returns is correct, informs me that it is most likely a MD4 or MD5 hash algorithm value. Since the comment was that the website is fairly old, we can assume that it is an MD4 hash value as MD4 has been slowly replaced by MD5 in the modern day.
Since hash functions are one way, there is no way of coming up with the orginal password directly from this hashed value. Therefore, I will be using John The Ripper to crack this hash for me. All I have to do is simply wait while it does it’s thing. It didn’t take long, and it resulted with the following collision with the same hash: 2aea4. So, let me try this as a password. Voila! We have completed this challenge.