HTS Realistic 5: Find the Hidden Hash -- Timblog

HTS Realistic 5: Find the Hidden Hash

Damn Telemarketers!: Telemarketers are invading peoples privacy and peace and quiet. Get the password for the administrative section of the site to delete their database and return the privacy of their victims!

Realistic mission 5 of Hack This Site is quite fun, since it involves several vulnerabilities. You are supposed to clear a spammer’s database.

From: spiffomatic64

Message: Yo! This is Spiffomatic64 from Hackthissite.org! I’m a bit of a hacker myself as you can see, but I recently came upon a problem I couldn’t resolve…..
Lately I’ve been getting calls day and night from the telemarketing place. I’ve gone to their website and hacked it once deleting all of their phone numbers so they wouldn’t call me anymore. That was a temporary fix but they put their database back up, this time with an encrypted password. When I hacked them I noticed everything they used was 10 years out of date and the new password seems to be a ‘message digest’. I have done some research and I think it could be something like a co called hash value. I think you could somehow reverse engineer it or brute force it. I also think it would be a good idea to look around the server for anything that may help you.

Don’t just skim that through; read everything that Spiffomatic has to say. It’s quite helpful. Now, for their site. As you’ve probably seen, it consists of four visible sections: Home, News, Database and Contact.

The Home page contains nothing but an image and few email addresses, and the Contact page is equally useless. Don’t forget to check the source anyway, though, just to be sure. The Database page has nothing but a password input field. Inputting anything just gives you a “invalid password” message. Since entering “\”, “‘” and “”" characters still gives you the same message, we can assume that this field is not vulnerable to SQL injections.

We can’t find any vulnerability from the News page, either. However, the news items contain valuable information. We find that the administrator’s girlfriend’s name is Haley, which invites us to try that name as a password. Unfortunately, it didn’t work. We are also told something about “zapp”, which I have no idea of what it is. Next, we are told that they had some problems with Google:

Google was grabbing links it shouldn’t be so I have taken extra precautions.

Now, how do you take extra precautions when search engines are grabbing links that they shouldn’t? Well, you edit robots.txt to disallow it. Let’s take a look at the robots.txt of Compu-Global-Hyper-Mega-Net: http://www.hackthissite.org/missions/realistic/5/robots.txt.

Disallow: /lib/
Disallow: /secret/

Nice to know. Check those folders out, and you will find that directory listing is not disabled. Begin with secret/, since it seems most interesting. There are two files: admin.php and admin.bak.php. The prior is the script that validates passwords, and the latter seems to be a backup of the prior. However, when we access it, we get:

error matching hash 3184342944a094dd5dbe6fccaeb8dc96

Note that the specific hash might be different for you. As Spiffomatic64 said, this is a message digest (MD). Probably, it’s the message digest of the password that you are going to enter. But how are we supposed to know the algorithm of the hashing function? Remember the other directory disallowed from robots.txt? Let’s check lib/.

There is only one file here–”hash”. The hashing algorithm, perhaps? Download the file and open it in your favourite text-editor. Uh-oh. A lot of bogus characters, followed by:

Error: MDupdate MD already done.
Error: MDupdate called with illegal count value %d.
3.4.4 [FreeBSD] 20050518
MIC

In most cases when you encounter such a file, using a hex editor lets you read parts of it. There are many, for example XVI₃₂ for Windows and hexedit for Linux. Now, look for something that you recognize. You will probably find this part in the file:

do_global_ctors_aux
/usr/src/lib/csu/i386-elf/crtn.S
md4.c
MDblock
md4driver.c

Which reveals that the encryption algorithm used is MD4. Use any MD4 collision finder to crack the hash. I’ve written a simple MD4 collision finder in perl, which you can use. If you don’t happen to like Perl, there is a lot of free tools available out there, including online reverse-lookup databases.

Going back to the “Database” page and entering the password completes the challenge.

Maybe Related?

Posted July 18, 2007 in Guides » Hack This Site.

50 Comments »

I didnt understand nothing from here! I ts actually so simple

you go to the source secret dir
and adminphp.php.bak
u find the hash and brute force it!

Comment by Cybersasho — July 19, 2007 @ 2:52 pm

can u tell me how to brite force this site…cause i think it will be easier for some people…including me cause i have not understood this…
thnx in advance…

Comment by Rishi — July 27, 2007 @ 8:08 pm

how do u brute force it ???

Comment by Anonymous — July 28, 2007 @ 8:16 am

Cybersasho: That’s what I wrote, just a bit more pedagogically.

Anonymous: For example, you could use the perl script supplied in the post.

Comment by Tim — July 28, 2007 @ 12:58 pm

ummm….wat is perl??

Comment by Ghost — July 28, 2007 @ 3:18 pm

I have downloaded the Binary File and opened it with hexedit, running linux, now I am stuck, how do I crack the file. I am not sure how to run your perl script so do you have any other suggestions? Please respond quickly

Tim

Comment by Tim — July 28, 2007 @ 9:13 pm

Ghost, perl is a programming language.

Comment by The Exploiter — July 29, 2007 @ 10:00 am

ok..thnx exploiter…but from where can i download the program to use perl??
plz mention the link if u know any…
…Ghost

Comment by Ghost — July 29, 2007 @ 11:03 am

Ghost: If you are running Linux, you most likely already have the perl interpreter installed. Save the perl script, e.g. as “md5crack.pl”. Then, at the command line, run “perl md5crack.pl”. Make sure to edit the file first such that your own hash is being cracked.

Comment by Tim — July 30, 2007 @ 1:52 pm

ghost:
i did what you said but once i typed perl md5crack.pl it gave me this error:

Can’t locate Digest/MD4.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .) at md5crack.pl line 1.
BEGIN failed–compilation aborted at md5crack.pl line 1.

what does this mean?

Comment by tim — July 30, 2007 @ 3:58 pm

“tim“: It doesn’t seem like the MD4 module is installed. Try running “cpan” at the the command-line and “install Digest::MD5″.

Comment by Tim — July 30, 2007 @ 10:44 pm

Larry: There is a link to my Perl md4 cracker in the post.

Comment by Tim — August 7, 2007 @ 1:50 pm

I use Linux, but my Perl Interper doesnt have a user friendly interface, i have to command it through the Terminal or Command Line.
I dont know all the commands, Using HELP or INFO doesnt give me much information on how to use ‘/usr/bin/perl’ in my Command Line.
——————————————————————–
I have Come Up With a Temporary Solution For My Problem;
- - - - - - - - - - -
#/usr/bin/perl
my $md4 = Digest::MD4->new;
while () {
$md4->add($_);
print “Line $.: “, $md4->clone->digest, “\n”;
}
else
{
Print “Line $.:&*@^ # “n”()ext.
- - - - - - - - - - -
The MD4 Algorithm cannot Be solved past my first 2 Digits:
For an Exaple:
My hash would be: d5dbe6fccaeb8dc . . .
My Hash Output is: g6 # # # # # # # # # # . . . #(’#') means it is Unsolveable.
———————————————
I don’t Understand my Own Script.
Why Doesnt it solve The rest of the Hash?
Plz Repy

Comment by Mt1Яund — August 24, 2007 @ 11:28 pm

Even Though I get and Output From the Script Doesnt mean The String is correct.

Maybe i Sould use Wine Emulator? and Convert the GCI Script to File.C or a File.dll

Comment by Mt1Яund — August 24, 2007 @ 11:32 pm

Mt1Яund, i have checked ur script and modified it a little, it works fine now next challenge pls :)
——————————————————————–
I have Come Up With a Temporary Solution For My Problem;
- - - - - - - - - - -
#/usr/bin/perl
my $md4 = Digest::MD4->new;
SEQ_DELTA = 3

self.tcp.seq += i
for j in xrange(SEQ_DELTA):
self.ip.id = j
self.ip.ttl = j
buf = dnet.ip_checksum(str(self.ip))
self.sock.send(buf)
time.sleep(0.001)

while (buf) {
$md4->add($_);
print “Line $.: “, $md4->clone->digest, “\n”;
}
else
{
Print “Line $.:&*@^ # “n”()ext.
- - - - - - - - - - -
———————————————

Comment by u looser — September 2, 2007 @ 12:10 pm

To Timjoh:

I couldnt find anywhere to contact you so Im doin it through here :)

If you want help with the rest of the missions I can helpo ya. These guides have helped me alot so yea. . . Email me if you do want help

Comment by DeathCharge9 — September 12, 2007 @ 7:22 am

plz help me…i’ve downloaded cain, downloaded the hash. but there is a problem.
instead of getting the following at admin.php i get “Invalid Password” on a blank screen.

“error matching hash 3184342944a094dd5dbe6fccaeb8dc96″

what is the mistake that i’ve made….plz…thnx…

Comment by Ghost — September 28, 2007 @ 8:42 pm

I used MdCrack-NG. You can download it from here:
http://c3rb3r.openwall.net/mdcrack/download/MDCrack-NG.exe

Comment by DeathCharge9 — September 28, 2007 @ 11:52 pm

Hi.

I’m Arightwizard, from Hackthissite.

Is it possible to complete Realistic 5 without downloading PERL?

I don’t want to donload it ’cause I don’t wanna harm my computer in case it will.

And forgive me but no matter what you say I’m not going to be convinced to download this.

Someone please answer me. (Either answer with the password for the level or answer with info on how to do it without downloading PERL.)

Thanks.

Comment by Arightwizard — October 18, 2007 @ 11:03 pm

You dont use PERL

Comment by DeathCharge9 — October 22, 2007 @ 4:16 am

Actually you can use whatever language you want, as long you are able to decrypt that Hash.

Comment by Mt1Яund — October 24, 2007 @ 1:55 am

But you dont code anything

Comment by DeathCharge9 — October 24, 2007 @ 1:58 am

Once I click on the server link for admin.php it simply goes to an unauthorized page for HTS

Can you tell me where you get this message?
error matching hash 3184342944a094dd5dbe6fccaeb8dc96

Thanks,
nemadrias

Comment by Nemadrias — October 24, 2007 @ 6:24 pm

Tim, i dled activeperl as someone mentioned above, activeperl says there is an error with the syntax on your code, not knowing perl, i am not able to fix your error
If you could take the time to decrypt this hash i would appreciate it :D 3e82fab7d37167d657a712b152bdaff1

Comment by Roberto — October 29, 2007 @ 6:13 pm

I got the following has: 051697b342a2608e0d14387bcd521121. Can anyone tell me a good program to decrypt it?. Thanks in advance.

Comment by THE M — October 29, 2007 @ 7:10 pm

You can Use John the Ripper ( JTR ), probably more details to use it on the Download site.
I never used it before because I have Linux, definetly not compatible with MOST unix systems.

Comment by Mt1Яund — October 30, 2007 @ 1:08 am

i have another trick:
i bypass it form database page
there was ini their source to action to /secret/admin.php
so i use transversal directory
/secret/admin.php/../
then i open the admin bak.php
then use the cain and abel to decrypt it
enjoy

Comment by sorrow — November 8, 2007 @ 9:46 am

Hey, can you make more guides for the other realistic missions? The missions are so impossible, and your guides are always easy to follow. =)

Comment by Kelly — November 11, 2007 @ 5:47 pm

(I got the following has: 051697b342a2608e0d14387bcd521121. Can anyone tell me a good program to decrypt it?. Thanks in advance.)

Im new to using john the ripper and i was just wondering if jtr has put out the correct password for the hash. Someone previously submitted the hash above.
(USER888 - USER200)

Comment by moko — November 12, 2007 @ 11:10 am

To Sorrow: Wow, Great I checked it out myself and it works. Nice, but there is another way to Bypass decrypting the Hash, i Overheard it in a Chatroom SomeWhere…

To Kelly: Thats What Script Kiddies are For, They Follow Gudes and Never Learn Anything from them.

To Moko: As I said a Million Times, you can use John the Ripper. Read before you Post. xD

Comment by Mt1Яund — November 14, 2007 @ 3:38 am

Can someone crack this hash for me I don’t have anything to do it.

error matching hash 664b64dd7585231a029685b5bd110bdf

Comment by Lord_Burn — November 24, 2007 @ 12:28 pm

hey,

I Use Mac,

Please Write in JavaScirpt !!!

Comment by Mr. 42 — January 3, 2008 @ 12:10 pm

Really nice!!! One question. What is the robot.txt. And why we checked fot its existence from the begining?

Comment by Anonymous — January 8, 2008 @ 1:59 am

continuing my message, i mean not why we saw the robor.txt. Thats obvious. What i cant understad is why it was there…

Comment by Anonymous — January 8, 2008 @ 2:01 am

robots.txt is a file used to stop bots (Google, Yahoo serach etc) from viewing certain files so say you have a file called me.html with personal on that page and you dont want it to show up in search results you would put me.html in a robot.txt file on your site and when Search engines read the robots.txt file they will know not to store me.html in search results.

Comment by DeathCharge9 — January 8, 2008 @ 2:05 am

Ok i see. Thank you a lot. Din’t know that!

Comment by Anonymous — January 8, 2008 @ 11:07 am

i know this is completely off subject but i need help. there is a website that keeps a gradebook for my school and i need somebody to look at the source and tell me if there are any security loopholes that i could possibly use. the website is https://sms.millerplace.k12.ny.us/campus/portal/millerplace.jsp

plz somebody look at the source and tell me if there are eny things i could possibly hack

Comment by koolifafaf — February 2, 2008 @ 12:42 am

I’m on windows how do I run the un-encoding script?

Comment by zeldafan500 — February 14, 2008 @ 7:45 pm

Tim, I really really need some help exploiting an online game. It is PHP. Ive been trying SO hard for a few weeks, but Im such a noob.

I am willing to pay if you are able to accomplish what Im trying to do. :)

Im not sure if you can see the email address I listed, but if you can, please email me. If not, post back here and I will leave my email.

Comment by Jingles — February 26, 2008 @ 7:33 pm

The Need for Rackmount Computer Cases…

When businesses need to group one type of server in with similar kinds, rack mount computer cases are brought in. Holding as many as 40 single servers, they feature common temperature-monitoring systems, linked drive bays and up to a maximum of 10 air-…

Trackback by Server Computer Cases — February 27, 2008 @ 4:14 pm

RE: running Perl on windows…. Thats a Good Question, well you Can download Perl Software to let it do Its thing. Perl is Free For Download on Google. But IF you have Linux then you are all setup do code.

Comment by Fookyourshist — March 8, 2008 @ 6:16 am

hi, tim i wonder if you have solved the other missions yet, and if you can you put the soloutions on this website.

Comment by hans af klas — April 6, 2008 @ 1:20 pm

hi,
I found everything like displayed on the site (by myself).
I’m trying to bruteforce the hash, with Cain and Abel, but the program sais it will need 5 to 6 days to have a result.
Is this normal, or am I using a wrong program. Are there better (read faster) solutions?
Cain and Abel also asks me if I want to crack it with rainbow tables. Does this go any faster, and if so, where do I find rainbow tables, and which one do I choose?

Comment by schwarz — April 23, 2008 @ 8:51 am

my problemis solved,
there was something wrong with ly preerences for cain and abel i believe.
So i tried cain and abel, and also the perlscript, and they both worked very fast and good
thx

Comment by schwarz — April 26, 2008 @ 12:10 pm

out of all the suggestion you guys have made, the one about download the MD Crack was by far the best. Because you don’t need to know perl for it or another scripting language.

Comment by [system] — May 12, 2008 @ 5:56 am

I just tried Cain and Able and it’s telling me that it can do it in 5000 years! What the hell am I doing wrong?

Comment by [system] — May 12, 2008 @ 7:01 am

ok, if you download cain it works for so much more, and it is really fast. i won’t tell the Password but, it is letter letter number letter number

Comment by whoareyou47 — July 24, 2008 @ 1:20 am

i keep getting c6a18 but that isn’t the pw
why is it not working

Comment by Anonymous — August 15, 2008 @ 5:47 am

Hi Tim. I really want to learn how to be a hacker. I have been following HTS’ games, and i understand some, and i don’t understand some. I am new to hacking and I hope you could teach me or point me in the right direction to learning to become a good hacker.

Comment by Hope — September 1, 2008 @ 4:01 pm

o.o

Comment by oni-kun — September 18, 2008 @ 5:48 am