# Ninja Sec Challenge ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FJbyJ3fbhLUy6sdAiUeUC%2Fninja.jpg?alt=media\&token=25b5ee24-0de0-458b-a252-93f02828cbcc) This is a old, but funny puzzle that I've solved many years ago :smile: ### 1. Introduction ![ASCII Number Pairs](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fdj7SbLvaxLyeMWQ4caar%2Fchallenge.jpg?alt=media\&token=10c15656-1d0d-4100-87f5-cd83067758d7) My first thought was that those number pairs could be a hint to the ASCII Table. I did a short check with the first 4 Numbers and I get **http**. It looks like a URL! ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F4u2pQSqdNw7lfdgGoDic%2Fascii_check.jpg?alt=media\&token=1e441630-87ad-401e-9d3e-c180fe93a023) I use a typical web based [ASCII to text converter](http://www.unit-conversion.info/texttools/ascii/) and I got this URL from the number pairs: ~~~~ The dropbox link contains the following files: * **challenge.zip** - There is one txt file inside, but it’s protected with a password * **challenge.bz2** – There is a binary file inside called challenge, but without file extension * **admin.txt** – It looks like a password list Download files: {% file src="" %} {% file src="" %} {% file src="" %} ### 2. Solving the puzzle My next idea was that one of the words inside the admin.txt file could be the password for the protected zip file! I did try a dictionary attack with the wordlist file admin.txt against the file challenge.zip, but it didn't succeed. `fcrackzip -v -D -p /pentest/passwords/wordlists/admin.txt /target/challenge.zip` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F7OarLkfx84o6GDI4hwux%2Ffcrack.jpg?alt=media\&token=4eb549c2-feab-446a-b042-3aa46fd2756b) I did open the file challenge with a hexeditor and in the end of the file there was a hint: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FPFXq87qNDAE8wxKxabgE%2Fhexedit.jpg?alt=media\&token=0b37777f-0865-4a8f-9a62-f576ba13a964) **You have to look for the Disk-ID on freedb.org** As we can read in the FAQ of [freedb.org](http://freedb.org), freedb is a database to look up CD information using the Internet. Because of that information I did try the file extension mp3 and wav. The file extension mp3 did not work, but with the file extension wav it was possible to play the file with an 11 Second sequence of a sound track. But who is the artist of that song and how can I find out that Disk-ID? First I had to check if the file extension is correct, because it was a coincidence that wav work. A friend of me told me about a program called [TrID](http://mark0.net/soft-tridnet-e.html) which scans unknown binary files of their file extensions. I've tried it out and I got the file extension AIFF.

I tried out different tools to identify the soundtrack, but none them get me the song back! I also tried [shazam](https://www.shazam.com/de/home) which is a powerful tool to identify songs and I had success with it.

Let’s check the Database of freedb.org and let’s see what we get! ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FdtV6naXfzUhHzmQ9dov3%2Fdisc_id.jpg?alt=media\&token=21e63e6e-65f7-4aee-b70d-1498d6814dc6) Disc ID: **1603eb03** The disc ID **1603eb03** was the password for the zip archive and i could successful extract the file challenge.txt! And now let’s see what we have:

Ok, this looks like typical hexcode. To fnd it out i use a typical [hex to text converter](http://www.string-functions.com/hex-string.aspx) tool. The decoded string is BASE64! A typical Sign for that are the **two ==** at the end of the string. For more information about BASE64 or other Crypto Codes visit the website [cryptool-online](http://www.cryptool-online.org/index.php?option=com_content\&view=article\&id=110\&Itemid=133\&lang=de). ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F2NZGl2kj0Zldqmqbmy8j%2Fbase64.jpg?alt=media\&token=a7722dc9-fcca-4d4b-95e7-8bb819a01da5) Ok, and now let’s [decode](http://floern.com/tools/textencoder) the BASE64 String. ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FrmHW5tYNbgRsXCYEpiia%2Fobfuscated_js.jpg?alt=media\&token=019af390-3827-4d21-8b1b-e0a506a9c47c) What the heck is this?\ It could be encrypted Javascript Code, but I’m not sure. A quick research in google shows me that it is Javascript and this technique is often used in malicious Websites. For the further analysis and Decryption I used a Tool called Revelo. I discovered that tool on a nice [Security Blog](https://www.kahusecurity.com/posts/another_revelo_update.html) and I run it in a virtual Windows XP Machine.

As we can see, our next Destination is ~~~~

Now we have a Login Form where we have to enter a valid username/password combination. I start a **dictionary attack** with the passwords from the file admin.txt. Because of the filename I used for all passwords the username **admin**.

For the bruteforce attack I've used a Browser Plugin called [~~Fireforce~~](http://www.scrt.ch/en/attack/downloads/fireforce). It’s important that Fireforce need the textstring: “The username/password combination you have entered is invalid” to\ successful identify the correct password. ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FLVNRKqclxFHh6q6HZ4YF%2Fbrut02.jpg?alt=media\&token=4b61c1ac-8690-4dc0-bb14-47d7cac34ddb) ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FfgG9QoVKdktkEFKtN1Ms%2Fbrut03.jpg?alt=media\&token=e500fc99-3934-44e8-b38e-e250e6025ea6) After a while I got a valid username / password combination

Password found: **m0use456g** With the discovered username/password combination I could enter the website. I can see 2 Links and one of them shows me a youtube video. I did click on play but I couldn’t understand a word because the audio seems to be reverted! ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FBiS3kNTonO9VfMQaZgsq%2Fyt01.jpg?alt=media\&token=6eb19b10-6ee1-42d2-9515-0e621d38b09a) I did convert the youtube video to an mp3 file and with the software [audacity](http://audacity.sourceforge.net/?lang=de) I could edit the audiofile to a clear voice:

Congratulations, you’ve discovered the website and now listen carefully you have to go to\ **directory a98dhkjd**. Going to ~~~~ shows me a **htaccess protected** Directory**:**

Now let’s go back to the first Login page and let’s analyse the Links:\ News1 is linked with: News2 is linked with: What we can see is that in both links a separate html file is loaded and displayed into the file index.php! I don’t have much experience in web vulnerabilities, but a [technique](http://kaoticcreations.blogspot.ch/2011/08/automated-lfirfi-scanning-exploiting.html) called **local file inclusion** exists for Links like this to gain access to protected files and directories. I have used more than one try, but it was possible to read out successful the htpasswd file with a valid username and password to solve this challenge! ~~****~~

~~~~

Username: pilou Password: there1s