HackQuest: JavaScript: Ok, finally it’s secure. Or?
Name: Ok, finally it’s secure. Or?
Place: London, UK
Target: MicroWorld buildingThis time its them. We want access to their fire alarm system.
Search for the form:
73 74 75 76 77 78 79 80 | <form name="LayoutBereich1FORM" action="" method=
"post">
<input id="Eingabefeld1" type="TEXT" name=
"inputbox1" value="" size="30" maxlength="30">
<input type="BUTTON" name="Schaltflächen1"
value="Enter Password" id="Schaltflaechen1"
onclick="testEncode(this.form)">
</form> |
Eingabefeld1/inputbox1 is the only field. testEncode() is called onclick.
39 40 41 42 43 44 45 | function testEncode(form) { var dater = new Date(); Day = dater.getDate(); dater = null; var Ret = encode (form.inputbox1.value, Day) location = Ret + ".html" } |
Now, the date seems to matter. Day is set using getDate(), which returns the current day of the month, from 1 to 31. In my current case, it is 17, since the date is the 17th of July.
Next, the variable Ret is set to encode( form.inputbox1.value, Day ). The first argument sent to encode() is the password, and the second argument has already been described. encode() is a function defined on the page.
47 48 49 50 51 52 53 54 55 56 57 58 59 | function encode (OrigString, CipherVal) { Ref="0123456789abcdefghijklmnopqrstuvwxyz._~ABCDEFGHIJKLMNOPQRSTUVWXYZ" CipherVal = parseInt(CipherVal) var Temp="" for (Count=0; Count < OrigString.length; Count++) { var TempChar = OrigString.substring (Count, Count+1) var Conv = cton(TempChar) var Cipher=Conv^CipherVal Cipher=ntoc(Cipher) Temp += Cipher } return (Temp) } |
The first line defines Ref as a long string. Next, CipherVal–the second argument, i.e. the day of the month–is changed from a string to an integer. A for loop runs one time for every character in OrigString, which is the password that you entered, incrementing Count each time.
In the loop, TempChar is set to the character at position Count of OrigString, similar to the substring() usage in the previous Jedi Mindtricks challenge. Next, Conv is set to cton(TempChar). The cton() function is set below encode():
61 62 63 | function cton (Char) { return (Ref.indexOf(Char)); } |
The indexOf() function returns the position of the first occurence of a string in another string. Here, the position of Char in Ref is returned. For example, if Char was “j”, 19 would be returned.
Line 54 contains ^, the bitwise XOR operator. To conduct a bitwise XOR, you compare each bit of two numbers. When the two are not eqal, that bit of the new number is 1. When they are not, it is set to 0. For example, 19^6=21:
10011=19
00110=6
10101=21
Cipher is set to Conv^CipherVal, and ntoc() is called with the result as an argument.
65 66 67 | function ntoc (Val) { return (Ref.substring(Val, Val+1)) } |
Just like the previous occurence of substring(), this returns the character from Ref at position Val, which is position Cipher. The result is appended to Temp, and after the return, Temp is returned, and testEncode sets the location to the returned string with the “.html” suffix.
Now, you should be coming to a sad realisation: the password cannot be figured out through only the source code. In fact, this has nothing to do with JavaScript at all. It’s just an incredibly stupid category for this challenge.
Instead, start looking at what is different from other challenges. You’ve probably noticed that the location does not follow the standard; the URL is http://www.hackquest.de/modules/HackQuest/hacking/274/octodron/274.php. What an Octodron is, I have no idea, and neither does Google. One of those racing tracks that is formed like an 8, making you return to where you started? A misspelt octodon? Anyway, this should catch your eye.
The next part is just about testing as you would for any vulnerability. After a while, you might find that there is a nice directory-listing at /modules/HackQuest/hacking/274/octodron. ClickThisHiddenFile.php? Yes, please.
Använder FireStats
could you be a little more specific about How you find that 274/octodron/274 ?
Comment by dani — April 29, 2008 @ 7:21 pm