Ninja Sec Challenge
Last updated
Was this helpful?
Last updated
Was this helpful?
This is a old, but funny puzzle that I've solved many years ago
My first thought was that those number pairs could be a hint to the ASCII Table. I did a short check with the first 4 Numbers and I get http. It looks like a URL!
The dropbox link contains the following files:
challenge.zip - There is one txt file inside, but it’s protected with a password
challenge.bz2 – There is a binary file inside called challenge, but without file extension
admin.txt – It looks like a password list
Download files:
My next idea was that one of the words inside the admin.txt file could be the password for the protected zip file! I did try a dictionary attack with the wordlist file admin.txt against the file challenge.zip, but it didn't succeed.
fcrackzip -v -D -p /pentest/passwords/wordlists/admin.txt /target/challenge.zip
I did open the file challenge with a hexeditor and in the end of the file there was a hint:
You have to look for the Disk-ID on freedb.org
First I had to check if the file extension is correct, because it was a coincidence that wav work.
Let’s check the Database of freedb.org and let’s see what we get!
Disc ID: 1603eb03
The disc ID 1603eb03 was the password for the zip archive and i could successful extract the file challenge.txt!
And now let’s see what we have:
What the heck is this? It could be encrypted Javascript Code, but I’m not sure. A quick research in google shows me that it is Javascript and this technique is often used in malicious Websites.
As we can see, our next Destination is http://www.ethical-intrusion.com/index.php
Now we have a Login Form where we have to enter a valid username/password combination. I start a dictionary attack with the passwords from the file admin.txt. Because of the filename I used for all passwords the username admin.
After a while I got a valid username / password combination
Password found: m0use456g
With the discovered username/password combination I could enter the website. I can see 2 Links and one of them shows me a youtube video. I did click on play but I couldn’t understand a word because the audio seems to be reverted!
Congratulations, you’ve discovered the website and now listen carefully you have to go to directory a98dhkjd.
Going to http://www.ethical-intrusion.com/a98dhkjd shows me a htaccess protected Directory:
Now let’s go back to the first Login page and let’s analyse the Links: News1 is linked with: http://ethical-intrusion.com/index.php?news=news1.html News2 is linked with: http://ethical-intrusion.com/index.php?news=news2.html
I have used more than one try, but it was possible to read out successful the htpasswd file with a valid username and password to solve this challenge!
http://ethical-intrusion.com/index.php?news=a98dhkjd/.htaccess
http://ethical-intrusion.com/index.php?news=a98dhkjd/.htpasswd
Username: pilou Password: there1s
I use a typical web based and I got this URL from the number pairs: http://dl.dropbox.com/u/10761700/{challenge.zip,challenge.bz2,admin.txt}
As we can read in the FAQ of , freedb is a database to look up CD information using the Internet. Because of that information I did try the file extension mp3 and wav. The file extension mp3 did not work, but with the file extension wav it was possible to play the file with an 11 Second sequence of a sound track. But who is the artist of that song and how can I find out that Disk-ID?
A friend of me told me about a program called which scans unknown binary files of their file extensions. I've tried it out and I got the file extension AIFF.
I tried out different tools to identify the soundtrack, but none them get me the song back! I also tried which is a powerful tool to identify songs and I had success with it.
Ok, this looks like typical hexcode. To fnd it out i use a typical tool.
The decoded string is BASE64! A typical Sign for that are the two == at the end of the string. For more information about BASE64 or other Crypto Codes visit the website .
Ok, and now let’s the BASE64 String.
For the further analysis and Decryption I used a Tool called Revelo. I discovered that tool on a nice and I run it in a virtual Windows XP Machine.
For the bruteforce attack I've used a Browser Plugin called . It’s important that Fireforce need the textstring: “The username/password combination you have entered is invalid” to successful identify the correct password.
I did convert the youtube video to an mp3 file and with the software I could edit the audiofile to a clear voice:
What we can see is that in both links a separate html file is loaded and displayed into the file index.php! I don’t have much experience in web vulnerabilities, but a called local file inclusion exists for Links like this to gain access to protected files and directories.
