In order to solve these challenges, you are required to locate the correct passwords that are revealed to you after exploiting weaknesses in client-side authentication procedures. You can attempt them in any order but you must be logged in to try potential passwords. While attempting these challenges, because these scripts are being executed in the browser, we will try to read the source code pertaining to these “security” scripts and see if we can bypass authentication or locate the credentials hard-coded in the scripts.
We need to study the code but because we cannot ‘right click’ the page, while using Chrome we add ‘view-source:’ before the URL to access the source code of the page. We access:
The resulting code clearly has the username and password embedded in cleartext – quite easy since this is the first challenge in this category [Figure 2].
The decoded text shows us the username and password embeded in plaintext form in the script [Figure 6].
Like other challenges, this one requires a username and password as well. A quick glance at the source code presents us with a username and hash pair in the HTML comments [Figure 7].
We ran this hash through ‘John the Ripper’ and the plaintext pertaining to the hash turned out to be ‘blaat’ [Figure 8].
Here, we notice the file ‘blaat.html’, and the password to this challenge is placed inside this HTML file [Figure 9].
The title of this challenge suggests that this challenge has something to do with some form of Microsoft security that requires the use of Internet Explorer [Figure 10].
After looking at the source code, we know that we need to decode the encoded part of the script that is stored in the variable ‘Words’. Once again, we use an online JS compiler and decode the text. We notice that this text is encoded with JScript.Encode [Figure 11].
After carefully reading the script, we are able to determine that it is calculating the URL to the correct password. We slightly modify the script and make it display the value of the URL where the password is stored. We remove the ‘for’ loop since that simply verifies the password, and we add an instruction to display the values stored in ‘pass2’ and ‘addr’ [Figure 13] as follows:
This gives us the location of the correct password with reference to the base URL of the challenge. The complete URL now becomes:
This location contains the password to this challenge [Figure 14].
This challenge tells us that the source code of this page is protected by HTML Guardian, a tool built specifically to protect web source codes [Figure 15].
Our objective is to circumvent HTML Guardian’s defense and read the actual source code. We notice that ‘right-click’ is disabled on this page and so we insert ‘view-source:’ before the URL in Chrome to view the source code as follows:
As expected, the source code is not in plaintext form. However, we notice that the function eval() and unescape() seem to be decoding some part of the script [Figure 16]. This is where we start.
We use our online JS compiler once again to save the decoded text in a variable and then ‘alert’ the contents of this variable [Figure 17].
After proper indentation and arrangement of the code, we notice that the function koh() is making some calculations and ultimately returning the value of ‘M’ [Figure 18].
We modify the code to alert the value of ‘M’ before M is returned by the function. The plaintext code is then displayed to us, and the password is hidden inside this plaintext source code [Figure 19].
This challenge requires a username and password pair and tells us that the webpage is protected with HTML Protect 3 [Figure 20].
Our objective is to locate the username and password hidden somewhere within the source code of the page. When we look at the source code, we find some encoded text and focus our initial efforts towards the text stored in variable ‘e’. We alert the value of ‘e’ and discover the plaintext script [Figure 21].
When we scroll down in this script, we notice the ‘passwdok()’ function (password OK). The name of this function suggests that it performs the password authentication check. A major part of this function is encoded and we need to decode this. Hence, we let the online JS compiler decode this script for us as before [Figure 23].
Now, we understand the authentication procedure. The variables ‘good_login’ and ‘good_pass’ hold the SHA1 hashes of the correct username and password respectively. The script calculates the SHA1 hash of user-supplied username and password, and the ‘if’ condition matches these values against the stored (correct) values. If there is a match, the script prompts ‘Well Done!’. It becomes clear that we need to reverse these SHA1 hashes and here; once again, John the Ripper comes to the rescue [Figure 24].
Alternatively, you can use one of the many online hash decryption engines [Figure 25].
If you enjoyed these, consider attempting more captivating challenges at Net-Force to test or build your skills in security. If you have spent a substantial amount of time on a specific challenge – and the solution has evaded you for long – then you can always come here to seek solutions. The solutions above discuss only successful attempts for the sake of brevity.