Jump to content



Photo

Hax.tor.hu help


  • Please log in to reply
23 replies to this topic

#1 -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 27 July 2010 - 16:55

I'm on level 21 on hax.tor (for those of you that don't know what it is, its like a security wargame site), and I'm completely stumped.

The problem is:

You have a backdoor to read the current administrator password. The backdoor's url is http://serioussecurity.info/a.php. The only problem is, no such domain even exists. You do know however, that it is hosted on the hax.tor.hu server. So what is the admin pw?


I've tried everything that I know, and I'm obviously forgetting / missing something but I can't figure out what for the life of me. I don't want any answers, so please don't post one. Just a nudge in the right direction / hint would be perfect.

Thanks!

- Sorry if this is in the wrong section.


#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 July 2010 - 17:58

If the server is listening for that domain?, ie apache or IIS is setup to serve that domain (host headers, virtualhost), but there is no dns pointing there. And you know its on the same server as hax.tor.hu, you just need resolve that IP to the correct domain -- so your browser will send the correct host header to the webserver to serve up that document. Hint - host file.

#3 OP -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 27 July 2010 - 18:41

LOL!

I had tried that, but when I tried visiting the suspended domain it would just make me download a php file.

I assumed that was incorrect, undid my changes and went back to square one.

---

Tried it again after you said so, and this time I downloaded the php file and saw it had the password. Stupid me...

Thanks for your help!

#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 July 2010 - 19:02

Yeah just because its a php does not mean the server is setup to run php, might just serve it up as a unknown doc type, etc.

You only have 29 more to go ;) If you get stuck on any more and need hints just ask :shiftyninja:

#5 OP -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 27 July 2010 - 19:08

Will do! On 26 now, and going well lol.

Thanks again

#6 OP -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 28 July 2010 - 03:44

Alrite...I'm on 49 and now I'm seriously stuck lol.

Press the button after 198.81.129.125 makes a DNS query
to dns.tor.hu
The query should request the A record for razorfold.tor.hu
You can check the last few queries from your own IP (or CIA's IP) here.


The only thing I could think of is using a packet sniffer like Wireshark to see what packet NSlookup sends out, and then somehow modify the source address to the CIA's one. But my 3g dongle isn't supported by wireshark so I can't test that =(

Also, the dnslast link doesn't seem to load for me, it just gives me a blank page..so I can't even check my last queries.

#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 July 2010 - 15:32

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

#8 OP -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 28 July 2010 - 15:34

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"


I know about dig -b, but I'm on Windows =( And my linux installation is on my desktop, which is well..back home lol.

Was hoping I could somehow use nslookup to try that, but it doesn't seem to offer a command similar to dig.

#9 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 July 2010 - 15:39

You can run dig on windows ;) Just grab from ISC bind package, and install the tools

C:\Windows\System32>dig

; <<>> DiG 9.7.1-P2 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20061
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2


---

Hint2 hping is a great tool, and could also be used to send a dns packet with a forged source IP, just have to construct the data for the packet that contains the query you want.

#10 OP -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 28 July 2010 - 15:42

You can run dig on windows Just grab from ISC bind package, and install the tools

C:\Windows\System32>dig

; <<>> DiG 9.7.1-P2 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20061
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2


---

Hint2 hping is a great tool, and could also be used to send a dns packet with a forged source IP, just have to construct the data for the packet that contains the query you want.


Ah, I didn't know that. Thanks!

#11 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 July 2010 - 15:47

BTW, that dnslast page is working -- there just needs to have been a query

dnsquery.jpg

But Im not going to send a query from the correct IP for you ;)

#12 OP -Razorfold

-Razorfold

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 28 July 2010 - 21:40

BTW, that dnslast page is working -- there just needs to have been a query

Snipped

But Im not going to send a query from the correct IP for you ;)


Odd it works for me now, but it wasn't working when I first posted about it =/

Haven't made much headway though lol, probably just going to wait till I get back home so I can see what the packet dig/nslookup sends out using wireshark and then see if I can construct a spoofed one and use hping to send it out. Don't even know if thats going to work haha.

The other option, which I don't know will work either LOL, is IP aliasing. For some reason my 3g dongle won't let me add multiple IPs to the network adapter so when I try to use the dig -b command it just fails. Got to get back to a wired / proper wireless connection I guess lol.

This is kindoff out of my league, but hey a challenge is a challenge.

#13 lon3wol7

lon3wol7

    Resident One Post Wonder

  • Joined: 23-September 10

Posted 23 September 2010 - 11:57

I'm on level 21 on hax.tor (for those of you that don't know what it is, its like a security wargame site), and I'm completely stumped.

The problem is:



I've tried everything that I know, and I'm obviously forgetting / missing something but I can't figure out what for the life of me. I don't want any answers, so please don't post one. Just a nudge in the right direction / hint would be perfect.

Thanks!

- Sorry if this is in the wrong section.



Hi Razorfold

Can you please help me with level 7 , i'm totally lost. If you could maybe just push me in the right direction i'm going mad !!
It will be must appreciated.

Thanx

#14 hst

hst

    Neowinian

  • Joined: 11-January 11

Posted 11 January 2011 - 21:24

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"


Hey Guys!

I'm on level 49 too and trying to do the query, but it wont work. I'm using dig, but when i try to use the -b option it says: "isc_socket_bind: address not available". Here is the query i have tried:

dig @dns.tor.hu -b 198.81.129.125 hst.tor.hu

Could you please give me a hint?

hst

#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 12 January 2011 - 01:37

is that source IP on your interface ;)

Even if it is would the traffic go? You might have to generate the query using something like hping which allow you to generate dns queries as well.

The trick is not so much doing the query, the trick is making it look like it came from an IP that is not under control ;)

Have already given 2 tools that can create the query and allows you to set the source IP.. If I spell it out any more its like I did it myself, so not you really hacking anything now is it ;)

As a side note -- what can this kind of thing be used for?? You can get large amplification in generated traffic by spoofing dns queries.. Look that the bytes sent compared to the bytes returned -- so if you make the queries look like they came from somewhere else, the answers are sent to where it thinks it came from..

Now kids what do you use amplification of data size for??? Thats right Billy -- DOS ;) hehehe