Tue, May 25, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Our next realistic mission is to get into the admin section of this right-winged American website. Going through the homepage and the hyperlinks on the site, its evident that this is a very simple website and there doesn’t seem to be any direct admin access from the website through some sort of hyperlink. My first step would be to try and look at the source code to see if we can discover some sort of file structure through the assets that are loaded with the website.
The first thing that one would notice when looking at the source code of the homepage is that the images are kept in a /images/ folder. Another thing is that the poster links redirect to showimages.php?file=... where the ... is a file name. It is possible that the backend has incomplete remediation and assumes all frontend requests are correct. Thus it is possible that showimages.php is exploitable.
Stepping into the /images/ folder, we can see that directory listing is turned on for this directory. Fortunately, for us, we can see that - along with all the photos - there is an admin/ subdirectory. Stepping into this directory, I am presented with a login through Basic Authentication. Trying the default passwords doesn’t result in us entering this folder. Perhaps we can revisit the showimages.php file. Doing a quick test on a random image using the URL: ...showimages.php?file=images/burn.jpg results with the message please do not try to open image files which suggests that this is possibly the right direction.
Circling back to the Basic Authentication, we know from previous challenges that this website is hosted through Apache. In order to ‘lock’ a folder, it is done through the .htaccess file that compares the credentials sent by the client with those stored in a .htpasswd file by default. This file could be present anywhere within the server. Trying the different directories that I know exists, I found that the url ...showimages.php?file=images/admin/.htpasswd results in a webpage with a broken href to an image. If this worked as expected, the href should contain the contents of the .htpasswd file. Inspecting this attribute, we can see that it is https://www.hackthissite.org/missions/realistic/7/administrator:$1$AAODv...$gXPqGkIO3Cu6dnclE/sok1, thus implying that the contents of .htpasswd was administrator:$1$AAODv...$gXPqGkIO3Cu6dnclE/sok1.
Looking at some documentation from Apache, I have found the following information:
htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system’s crypt() routine. Files managed by htpasswd may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().
To add on, this article by hostwinds notes that:
User credentials are stored on separate lines, with each line containing a username and password separated by a colon (:). Usernames are stored in plain text, however passwords are stored in an encrypted hashed format. This encryption is usually MD5, although in Linux it can be based on the crypt() function
This suggests that access to the /images/admin/ folder is given to the user administrator that has a password that hashes to $1$AAODv...$gXPqGkIO3Cu6dnclE/sok1. In order to crack this hash, we will use JohnTheRipper. This is a simple task, using the following commands: john passwordfile; john --show passwordfile. The output results with the following password that has a similar hash: administrator:shadow. Thus I expect to be able to enter these credentials and be given access to the /images/admin folder. As expected, entering these credentials does complete this challenge.