Sign in to follow this  
Followers 0
-Razorfold

Hax.tor.hu help

24 posts in this topic

I'm on level 21 on hax.tor (for those of you that don't know what it is, its like a security wargame site), and I'm completely stumped.

The problem is:

You have a backdoor to read the current administrator password. The backdoor's url is http://serioussecurity.info/a.php. The only problem is, no such domain even exists. You do know however, that it is hosted on the hax.tor.hu server. So what is the admin pw?

I've tried everything that I know, and I'm obviously forgetting / missing something but I can't figure out what for the life of me. I don't want any answers, so please don't post one. Just a nudge in the right direction / hint would be perfect.

Thanks!

- Sorry if this is in the wrong section.

Share this post


Link to post
Share on other sites

If the server is listening for that domain?, ie apache or IIS is setup to serve that domain (host headers, virtualhost), but there is no dns pointing there. And you know its on the same server as hax.tor.hu, you just need resolve that IP to the correct domain -- so your browser will send the correct host header to the webserver to serve up that document. Hint - host file.

Share this post


Link to post
Share on other sites

LOL!

I had tried that, but when I tried visiting the suspended domain it would just make me download a php file.

I assumed that was incorrect, undid my changes and went back to square one.

---

Tried it again after you said so, and this time I downloaded the php file and saw it had the password. Stupid me...

Thanks for your help!

Share this post


Link to post
Share on other sites

Yeah just because its a php does not mean the server is setup to run php, might just serve it up as a unknown doc type, etc.

You only have 29 more to go ;) If you get stuck on any more and need hints just ask :shiftyninja:

Share this post


Link to post
Share on other sites

Will do! On 26 now, and going well lol.

Thanks again

Share this post


Link to post
Share on other sites

Alrite...I'm on 49 and now I'm seriously stuck lol.

Press the button after 198.81.129.125 makes a DNS query

to dns.tor.hu

The query should request the A record for razorfold.tor.hu

You can check the last few queries from your own IP (or CIA's IP) here.

The only thing I could think of is using a packet sniffer like Wireshark to see what packet NSlookup sends out, and then somehow modify the source address to the CIA's one. But my 3g dongle isn't supported by wireshark so I can't test that =(

Also, the dnslast link doesn't seem to load for me, it just gives me a blank page..so I can't even check my last queries.

Share this post


Link to post
Share on other sites

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

Share this post


Link to post
Share on other sites

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

I know about dig -b, but I'm on Windows =( And my linux installation is on my desktop, which is well..back home lol.

Was hoping I could somehow use nslookup to try that, but it doesn't seem to offer a command similar to dig.

Share this post


Link to post
Share on other sites

You can run dig on windows ;) Just grab from ISC bind package, and install the tools

C:\Windows\System32>dig

; <<>> DiG 9.7.1-P2 <<>>

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20061

;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2

---

Hint2 hping is a great tool, and could also be used to send a dns packet with a forged source IP, just have to construct the data for the packet that contains the query you want.

Share this post


Link to post
Share on other sites
You can run dig on windows Just grab from ISC bind package, and install the tools

C:\Windows\System32>dig

; <<>> DiG 9.7.1-P2 <<>>

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20061

;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2

---

Hint2 hping is a great tool, and could also be used to send a dns packet with a forged source IP, just have to construct the data for the packet that contains the query you want.

Ah, I didn't know that. Thanks!

Share this post


Link to post
Share on other sites

BTW, that dnslast page is working -- there just needs to have been a query

post-14624-12803319974097.jpg

But Im not going to send a query from the correct IP for you ;)

Share this post


Link to post
Share on other sites

BTW, that dnslast page is working -- there just needs to have been a query

Snipped

But Im not going to send a query from the correct IP for you ;)

Odd it works for me now, but it wasn't working when I first posted about it =/

Haven't made much headway though lol, probably just going to wait till I get back home so I can see what the packet dig/nslookup sends out using wireshark and then see if I can construct a spoofed one and use hping to send it out. Don't even know if thats going to work haha.

The other option, which I don't know will work either LOL, is IP aliasing. For some reason my 3g dongle won't let me add multiple IPs to the network adapter so when I try to use the dig -b command it just fails. Got to get back to a wired / proper wireless connection I guess lol.

This is kindoff out of my league, but hey a challenge is a challenge.

Share this post


Link to post
Share on other sites

I'm on level 21 on hax.tor (for those of you that don't know what it is, its like a security wargame site), and I'm completely stumped.

The problem is:

I've tried everything that I know, and I'm obviously forgetting / missing something but I can't figure out what for the life of me. I don't want any answers, so please don't post one. Just a nudge in the right direction / hint would be perfect.

Thanks!

- Sorry if this is in the wrong section.

Hi Razorfold

Can you please help me with level 7 , i'm totally lost. If you could maybe just push me in the right direction i'm going mad !!

It will be must appreciated.

Thanx

Share this post


Link to post
Share on other sites

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

Hey Guys!

I'm on level 49 too and trying to do the query, but it wont work. I'm using dig, but when i try to use the -b option it says: "isc_socket_bind: address not available". Here is the query i have tried:

dig @dns.tor.hu -b 198.81.129.125 hst.tor.hu

Could you please give me a hint?

hst

Share this post


Link to post
Share on other sites

is that source IP on your interface ;)

Even if it is would the traffic go? You might have to generate the query using something like hping which allow you to generate dns queries as well.

The trick is not so much doing the query, the trick is making it look like it came from an IP that is not under control ;)

Have already given 2 tools that can create the query and allows you to set the source IP.. If I spell it out any more its like I did it myself, so not you really hacking anything now is it ;)

As a side note -- what can this kind of thing be used for?? You can get large amplification in generated traffic by spoofing dns queries.. Look that the bytes sent compared to the bytes returned -- so if you make the queries look like they came from somewhere else, the answers are sent to where it thinks it came from..

Now kids what do you use amplification of data size for??? Thats right Billy -- DOS ;) hehehe

Share this post


Link to post
Share on other sites

I am hoping someone can give me a hint on lvl 3. For some reason I know its got to be something soo simple that I am just over looking the obvious.

Share this post


Link to post
Share on other sites

is that source IP on your interface ;)

Even if it is would the traffic go? You might have to generate the query using something like hping which allow you to generate dns queries as well.

The trick is not so much doing the query, the trick is making it look like it came from an IP that is not under control ;)

Have already given 2 tools that can create the query and allows you to set the source IP.. If I spell it out any more its like I did it myself, so not you really hacking anything now is it ;)

As a side note -- what can this kind of thing be used for?? You can get large amplification in generated traffic by spoofing dns queries.. Look that the bytes sent compared to the bytes returned -- so if you make the queries look like they came from somewhere else, the answers are sent to where it thinks it came from..

Now kids what do you use amplification of data size for??? Thats right Billy -- DOS ;) hehehe

Yes, i tried both of them, but i was lazy, so i tought i can do it with a single command... :) Now i'm learning how to build a fake dns query.

@MasterGinyu If you mean the real level 3 (not the warmup level), im not remember exactly what it is (and i cant view it), but since it's name is Recognize it should be some kind of hash. Paste the level here and i will give you some hint.

1 person likes this

Share this post


Link to post
Share on other sites

@MasterGinyu If you mean the real level 3 (not the warmup level), im not remember exactly what it is (and i cant view it), but since it's name is Recognize it should be some kind of hash. Paste the level here and i will give you some hint.

Yes the real level 3. Here is the info.

V m 0 w d 2 Q y U X l V W G x X Y T F w T 1 Z s Z G 9 W R m x 0 Z U V 0 W F J t e F Z V M j A 1 V j A x V 2 J E T l h h M k 0 x V j B a S 2 M y S k V U b G h o T W s w e F Z t c E d T M k 1 5 U 2 t W V W J H a G 9 U V 3 N 3 Z U Z a d G N F Z F R N b E p J V m 1 0 c 2 F W S n R h R z l V V m 1 o R F Z W W m F k R 0 5 G Z E Z S T l Z U V k p W b T E w Y T F k S F N r Z G p T R U p Y W V R G d 2 F G W k Z S U Q :)

Share this post


Link to post
Share on other sites

Yes the real level 3. Here is the info.

V m 0 w d 2 Q y U X l V W G x X Y T F w T 1 Z s Z G 9 W R m x 0 Z U V 0 W F J t e F Z V M j A 1 V j A x V 2 J E T l h h M k 0 x V j B a S 2 M y S k V U b G h o T W s w e F Z t c E d T M k 1 5 U 2 t W V W J H a G 9 U V 3 N 3 Z U Z a d G N F Z F R N b E p J V m 1 0 c 2 F W S n R h R z l V V m 1 o R F Z W W m F k R 0 5 G Z E Z S T l Z U V k p W b T E w Y T F k S F N r Z G p T R U p Y W V R G d 2 F G W k Z S U Q :)

Oh yeah, i remember now. :) First of all look at that link at the end of the text. It could be useful. After you read it you will know what to do with the spaces and how to decode the text. After decoding it your work isn't done. You have to recognize something. A hint for it, if you know what the russian matryoshka doll is, think about it (http://en.wikipedia.org/wiki/Matryoshka_doll). I hope it will help you.

Share this post


Link to post
Share on other sites

Oh yeah, i remember now. :) First of all look at that link at the end of the text. It could be useful. After you read it you will know what to do with the spaces and how to decode the text. After decoding it your work isn't done. You have to recognize something. A hint for it, if you know what the russian matryoshka doll is, think about it (http://en.wikipedia.org/wiki/Matryoshka_doll). I hope it will help you.

Yeah i was on the right track in the beginning but that second hint really helped figure it out. I was off in left field for a while.

Thanks again.

Share this post


Link to post
Share on other sites

Yeah i was on the right track in the beginning but that second hint really helped figure it out. I was off in left field for a while.

Thanks again.

You are welcome, if you stuck again just ask and i will help you if i can.

Share this post


Link to post
Share on other sites

You are welcome, if you stuck again just ask and i will help you if i can.

Yeah I am stuck on level 7 now. Its the one with the sniff log and you have to recover the password of the user "transaction". They link you to this site... http://www.securiteam.com/tools/6Q00I0UEUM.html. I tried reading the sniff in like wireshark but its not a compatible dump. My hunch is that I have to use the formula to decrypt from that site but seems like alot of math and conversions for such an early level.

Share this post


Link to post
Share on other sites

Yeah I am stuck on level 7 now. Its the one with the sniff log and you have to recover the password of the user "transaction". They link you to this site... http://www.securiteam.com/tools/6Q00I0UEUM.html. I tried reading the sniff in like wireshark but its not a compatible dump. My hunch is that I have to use the formula to decrypt from that site but seems like alot of math and conversions for such an early level.

I dont really know how to help in this without saying too much. If you have read that article (behind the link), you are know now what format is this log. Just search the web and you are going to figure it out.

Share this post


Link to post
Share on other sites

I dont really know how to help in this without saying too much. If you have read that article (behind the link), you are know now what format is this log. Just search the web and you are going to figure it out.

Thanks for the continued help. I sent you a PM on the my next issue if that is ok.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.