This is the website, http://www.hackthissite.org/missions/realistic/7/, the mission is to gain access to it’s admin section, easy! so easy actually. I advice you to try to figure it out yourself just for fun.
A little move around the page shows us the most dangerous vulnerability a developer can come with ever, take a look at this screenshot:
Obviously, a page reading files dynamically from the server is not a good idea at all, an advice NERVER DO THIS. So now, we know how we are going to break in, we have to read the contents of the files using the showimages.php?file=*** page.
Because the mission is moderated, all the php files out there can’t be read, but on real examples, developers never pay attention to this, you can play around with this page a little, trying to read the index.php contents, or the robots.txt.. etc
Now we have to locate the admin section, and mainly it’s in a folder called admin, trying http://www.hackthissite.org/missions/realistic/7/admin won’t give much results. A fast look at the html page shows that images are inside a folder called images/, requesting this folder shows it’s contents (a bad habit webmasters do mistakenly also), and we can see the admin folder inside.
Also you can use Google to locate directory listings on a website using a request like this “index.of” site:target.com
Now we know that the path to the admin folder, requesting this folder will make the server asks for authentication, and here we have to figure out what the passwords are!
This is basic HTTP authentication under Apache (or most of the other webservers out there), and passwords/user names are saved under the .htpasswd file (you can play with the .htaccess file too). Requesting this file directly .htpasswd will return a message indicating that the file does not exist! do you believe this??This is where the showimage.php is so useful, it has read access to the files on the server, even the .htpasswd, here is the request that reads the file : http://www.hackthissite.org/missions/realistic/7/showimages.php?file=images/admin/.htpasswd, and this is the HTML of the response :
Well, this is the content of the .htpasswd file, seems encrypted right? fortunately .htpasswd files are poorly encrypted and you can brute force their content easily, even on windows. For this I used Cain Cracker which is a good tool for brute forcing password hashes but it doesn’t help me so much, so I used the well know John the ripper.Download it, extract it somewhere, run the command prompt and browse to its location, then save the content of the .htpasswd file in a .txt file. hack.txt for example, here is the content :
administrator:$1$AAODv...$gXPqGkIO3Cu6dnclE/sok1Now we just start the cracker, using this command john-386 hack.txt, and just few milliseconds you get the password :
Well, this is it, now you have access to the whole server! what worse can happen?Real world example : Ouedkniss.com
Contents of this article were deleted by the author, want the original?? look deeper…Anyways, their website have SQL injections, Ajax problems, XSS (I guess), Directory traversal problems and more more.
To project this tutorial on their website, you can for example, discover all their files on the server, and worst, discover ALL THE SERVER ITSELF not just their publichtml folder.
For example this is a listing of their root, yes the SREVER ROOOOOOT (if you are not in the security world, maybe you can switch to the source code, and if you can’t figure out the contents of the server even in the source code, then maybe you need to go here http://bit.ly/2LlzMv :D)
http://www.ouedkniss.com/popups/details.php?categorie=telephonie&id=../../../../
And that’s a listing of all the files they have on their www folder :
http://www.ouedkniss.com/popups/details.php?categorie=telephonie&id=../../../www
Well you got it, you can see what ever on their webserver, why? they are doing the same error as the page that loads files, they are listing files.. and don’t get me wrong, for them, they list images that are in the folder which id is in the request, but they never check for the id, or even if they are looping just over image files or looping over ANY file/directory requested for that id.
I can’t be held responsible for anyone using information here to hack or try to hack their website, also, please don’t ask me how did I
Also if anyone of you know their team, or if you are a member of their team, you should inform them to react quickly and fix the bugs.
A last word, being among the first 50 or 100 websites visited on Algeria doesn’t hide the truth that it is among the least poorly secured websites.
