HackQuest: JavaScript: What you mean its not THAT easy?
This challenge presents a more modern (and unnecessary) way of entering the code.
Name: What you mean its not THAT easy?
Place: Berlin, Germany
Target: MAD centralThis german security agent needs some info uploaded, so they realize the MicroWorld threat.
It’s a little more difficult to find the form now, but that’s still were we should start. Searching the source code for “form” reveals that everything is even printed through the JavaScript:
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 | <!-- Key-code script by Bart Jellema -->
var usermulcode=10
var code=0 // the entered code
var mul=1 // the multiplied digits
var digit=0 // number of digits entered so far
var fails=0 // number of tries done
function Clear_code()
{
document.codepad.thecode.value=''
code=0
mul=1
digit=0
}
function Enter_code(number)
{
code=code*10+number
mul=mul*number
document.codepad.thecode.value=code
digit++
if (digit==4)
{
if (mul==120)
{
window.open (code+".php", "_self")
}
else
{
fails++
code=0
mul=1
digit=0
if (fails<3) {
if(fails==1){
document.codepad.thecode.value="Try again"
}
if(fails==2){
document.codepad.thecode.value="Last time"
}
} else {
document.codepad.thecode.value="Bye!"
}
}
}
}
function keycodepad(mulcode)
{
usermulcode=mulcode
document.write("<table><tr><td><form name=\"codepad\">");
document.write("<input type=\"button\" value=\" 1 \" onClick=\"Enter_code(1)\">");
document.write("<input type=\"button\" value=\" 2 \" onClick=\"Enter_code(2)\">");
document.write("<input type=\"button\" value=\" 3 \" onClick=\"Enter_code(3)\">");
document.write("<input type=\"button\" value=\" 4 \" onClick=\"Enter_code(4)\"><br>");
document.write("<input type=\"button\" value=\" 5 \" onClick=\"Enter_code(5)\">");
document.write("<input type=\"button\" value=\" 6 \" onClick=\"Enter_code(6)\">");
document.write("<input type=\"button\" value=\" 7 \" onClick=\"Enter_code(7)\">");
document.write("<input type=\"button\" value=\" 8 \" onClick=\"Enter_code(8)\"><br>");
document.write("<input type=\"button\" value=\" 9 \" onClick=\"Enter_code(9)\">");
document.write("<input type=\"button\" value=\" 0 \" onClick=\"Enter_code(0)\">");
document.write("<input type=\"button\" value=\" C \" onClick=\"Clear_code()\"><br>");
document.write("<input type=\"text\" name=\"thecode\" size=9 value=\"\"><br>");
document.write("<\/form><\/table>");
}
<!-- Key-codescriptbyBartJellema--> |
It is initialised at line 95 by the call keycodepad(24). Apparently, the variable “mulcode” is thus set to “24″, and after that “usermulcode”. Every click on a number calls Enter_code() with the number clicked as an argument. We will therefore dissect Enter_code(number), line by line.
First, code is multiplied by 10 and then the number is added to it. The effect of this is that number is appended to the right of the existing code. From the start, code equals 0 (line 27), and it is reset to that if C is pressed (from the Clear_code() function).
Next, mul is multiplied by the number pressed. mul starts off as 1 and is reset to 1 by Clear_code(). The line after that just updates the “display” to show the full code. After that, digit is incremented. As can be seen from line 29, digit is the number of digits that have been pressed (although this is reset by Clear_code() to 0).
Unless the following condition is true, Enter_code() ends here. The if statement checks whether digit==4, i.e. if four digits have been pressed. If mul==120, we have succeeded and are referred to another page. If not, the wrong-code handling sets in. It seems as if it is so easy as to find four digits between 1 and 9 where the product equals 120. However, it is not (what you mean it’s not THAT easy?). It seems that we have to find the correct combination, and through only the JavaScript, this is not possible. The usermulcode variable is of no use since it is not use in this script. We can find al combinations using a simple Perl script, though:
1 2 3 4 5 6 7 8 9 10 11 12 | @n = 2..9; foreach my $a (@n) { foreach my $b (@n) { foreach my $c (@n) { foreach my $d (@n) { if ( $a*$b*$c*$d == 120 ) { print $a, $b, $c, $d, "\n"; } } } } } |
Since the URL is only dependant on the code (line 49), we can actually generate a nice list of possible solution URLs. Just replace line 7 in the perl script above with:
7 | print 'http://www.hackquest.de/modules/HackQuest/hacking/824/', $a, $b, $c, $d, '.php', "\n"; |
http://www.hackquest.de/modules/HackQuest/hacking/824/2256.php http://www.hackquest.de/modules/HackQuest/hacking/824/2265.php http://www.hackquest.de/modules/HackQuest/hacking/824/2345.php http://www.hackquest.de/modules/HackQuest/hacking/824/2354.php http://www.hackquest.de/modules/HackQuest/hacking/824/2435.php http://www.hackquest.de/modules/HackQuest/hacking/824/2453.php http://www.hackquest.de/modules/HackQuest/hacking/824/2526.php http://www.hackquest.de/modules/HackQuest/hacking/824/2534.php http://www.hackquest.de/modules/HackQuest/hacking/824/2543.php http://www.hackquest.de/modules/HackQuest/hacking/824/2562.php http://www.hackquest.de/modules/HackQuest/hacking/824/2625.php http://www.hackquest.de/modules/HackQuest/hacking/824/2652.php http://www.hackquest.de/modules/HackQuest/hacking/824/3245.php http://www.hackquest.de/modules/HackQuest/hacking/824/3254.php http://www.hackquest.de/modules/HackQuest/hacking/824/3425.php http://www.hackquest.de/modules/HackQuest/hacking/824/3452.php http://www.hackquest.de/modules/HackQuest/hacking/824/3524.php http://www.hackquest.de/modules/HackQuest/hacking/824/3542.php http://www.hackquest.de/modules/HackQuest/hacking/824/4235.php http://www.hackquest.de/modules/HackQuest/hacking/824/4253.php http://www.hackquest.de/modules/HackQuest/hacking/824/4325.php http://www.hackquest.de/modules/HackQuest/hacking/824/4352.php http://www.hackquest.de/modules/HackQuest/hacking/824/4523.php http://www.hackquest.de/modules/HackQuest/hacking/824/4532.php http://www.hackquest.de/modules/HackQuest/hacking/824/5226.php http://www.hackquest.de/modules/HackQuest/hacking/824/5234.php http://www.hackquest.de/modules/HackQuest/hacking/824/5243.php http://www.hackquest.de/modules/HackQuest/hacking/824/5262.php http://www.hackquest.de/modules/HackQuest/hacking/824/5324.php http://www.hackquest.de/modules/HackQuest/hacking/824/5342.php http://www.hackquest.de/modules/HackQuest/hacking/824/5423.php http://www.hackquest.de/modules/HackQuest/hacking/824/5432.php http://www.hackquest.de/modules/HackQuest/hacking/824/5622.php http://www.hackquest.de/modules/HackQuest/hacking/824/6225.php http://www.hackquest.de/modules/HackQuest/hacking/824/6252.php http://www.hackquest.de/modules/HackQuest/hacking/824/6522.php
Just start testing.
Använder FireStats
wtf? u are just spoiling challenges. instead of that you had better wrote hints.. if there are ppl who cant do it we are sorry its natural selection. its about HACKING!!! not a step by step guide how to beat challenges without having a clue what to do and why it worked. u fucking moron
Comment by u looser — September 2, 2007 @ 11:48 am
Software Development Guide…
I couldn’t understand some parts of this article, but it sounds interesting…
Trackback by Software Development Guide — November 5, 2007 @ 4:18 am
hey looser. ur an idiot. get a life
Comment by sean — November 20, 2007 @ 4:19 pm
alert(”XSS”)
Comment by f — August 3, 2008 @ 3:16 am