Ninja Sec Challenge

This is a old, but funny puzzle that I've solved many years ago 😄

1. Introduction

ASCII Number Pairs

My first thought was that those number pairs could be a hint to the ASCII Table. I did a short check with the first 4 Numbers and I get http. It looks like a URL!

I use a typical web based ASCII to text converter and I got this URL from the number pairs: http://dl.dropbox.com/u/10761700/{challenge.zip,challenge.bz2,admin.txt}

The dropbox link contains the following files:

• challenge.zip - There is one txt file inside, but it’s protected with a password

• challenge.bz2 – There is a binary file inside called challenge, but without file extension

• admin.txt – It looks like a password list

Download files:

425B

challenge.zip

archive

2MB

challenge.bz2

704B

admin.txt

2. Solving the puzzle

My next idea was that one of the words inside the admin.txt file could be the password for the protected zip file! I did try a dictionary attack with the wordlist file admin.txt against the file challenge.zip, but it didn't succeed.

fcrackzip -v -D -p /pentest/passwords/wordlists/admin.txt /target/challenge.zip

I did open the file challenge with a hexeditor and in the end of the file there was a hint:

You have to look for the Disk-ID on freedb.org

As we can read in the FAQ of freedb.org, freedb is a database to look up CD information using the Internet. Because of that information I did try the file extension mp3 and wav. The file extension mp3 did not work, but with the file extension wav it was possible to play the file with an 11 Second sequence of a sound track. But who is the artist of that song and how can I find out that Disk-ID?

First I had to check if the file extension is correct, because it was a coincidence that wav work.

A friend of me told me about a program called TrID which scans unknown binary files of their file extensions. I've tried it out and I got the file extension AIFF.

I tried out different tools to identify the soundtrack, but none them get me the song back! I also tried shazam which is a powerful tool to identify songs and I had success with it.

Let’s check the Database of freedb.org and let’s see what we get!

Disc ID: 1603eb03

The disc ID 1603eb03 was the password for the zip archive and i could successful extract the file challenge.txt!

And now let’s see what we have:

Ok, this looks like typical hexcode. To fnd it out i use a typical hex to text converter tool.

The decoded string is BASE64! A typical Sign for that are the two == at the end of the string. For more information about BASE64 or other Crypto Codes visit the website cryptool-online.

Ok, and now let’s decode the BASE64 String.

What the heck is this? It could be encrypted Javascript Code, but I’m not sure. A quick research in google shows me that it is Javascript and this technique is often used in malicious Websites.

For the further analysis and Decryption I used a Tool called Revelo. I discovered that tool on a nice Security Blog and I run it in a virtual Windows XP Machine.

As we can see, our next Destination is http://www.ethical-intrusion.com/index.php

Now we have a Login Form where we have to enter a valid username/password combination. I start a dictionary attack with the passwords from the file admin.txt. Because of the filename I used for all passwords the username admin.

For the bruteforce attack I've used a Browser Plugin called Fireforce. It’s important that Fireforce need the textstring: “The username/password combination you have entered is invalid” to successful identify the correct password.

After a while I got a valid username / password combination

Password found: m0use456g

With the discovered username/password combination I could enter the website. I can see 2 Links and one of them shows me a youtube video. I did click on play but I couldn’t understand a word because the audio seems to be reverted!

I did convert the youtube video to an mp3 file and with the software audacity I could edit the audiofile to a clear voice:

Congratulations, you’ve discovered the website and now listen carefully you have to go to directory a98dhkjd.

Going to http://www.ethical-intrusion.com/a98dhkjd shows me a htaccess protected Directory:

Now let’s go back to the first Login page and let’s analyse the Links: News1 is linked with: http://ethical-intrusion.com/index.php?news=news1.html News2 is linked with: http://ethical-intrusion.com/index.php?news=news2.html

What we can see is that in both links a separate html file is loaded and displayed into the file index.php! I don’t have much experience in web vulnerabilities, but a technique called local file inclusion exists for Links like this to gain access to protected files and directories.

I have used more than one try, but it was possible to read out successful the htpasswd file with a valid username and password to solve this challenge!

http://ethical-intrusion.com/index.php?news=a98dhkjd/.htaccess

http://ethical-intrusion.com/index.php?news=a98dhkjd/.htpasswd

Username: pilou Password: there1s