Hax.tor.hu help

[Mr. Gibs]

I'm on level 21 on hax.tor (for those of you that don't know what it is, its like a security wargame site), and I'm completely stumped.

The problem is:

You have a backdoor to read the current administrator password. The backdoor's url is http://serioussecurity.info/a.php. The only problem is, no such domain even exists. You do know however, that it is hosted on the hax.tor.hu server. So what is the admin pw?

I've tried everything that I know, and I'm obviously forgetting / missing something but I can't figure out what for the life of me. I don't want any answers, so please don't post one. Just a nudge in the right direction / hint would be perfect.

Thanks!

- Sorry if this is in the wrong section.

[+BudMan MVC]

If the server is listening for that domain?, ie apache or IIS is setup to serve that domain (host headers, virtualhost), but there is no dns pointing there. And you know its on the same server as hax.tor.hu, you just need resolve that IP to the correct domain -- so your browser will send the correct host header to the webserver to serve up that document. Hint - host file.

[Mr. Gibs]

LOL!

I had tried that, but when I tried visiting the suspended domain it would just make me download a php file.

I assumed that was incorrect, undid my changes and went back to square one.

---

Tried it again after you said so, and this time I downloaded the php file and saw it had the password. Stupid me...

Thanks for your help!

[+BudMan MVC]

Yeah just because its a php does not mean the server is setup to run php, might just serve it up as a unknown doc type, etc.

You only have 29 more to go ;) If you get stuck on any more and need hints just ask :shiftyninja:

[Mr. Gibs]

Will do! On 26 now, and going well lol.

Thanks again

[Mr. Gibs]

Alrite...I'm on 49 and now I'm seriously stuck lol.

Press the button after 198.81.129.125 makes a DNS query

to dns.tor.hu

The query should request the A record for razorfold.tor.hu

You can check the last few queries from your own IP (or CIA's IP) here.

The only thing I could think of is using a packet sniffer like Wireshark to see what packet NSlookup sends out, and then somehow modify the source address to the CIA's one. But my 3g dongle isn't supported by wireshark so I can't test that =(

Also, the dnslast link doesn't seem to load for me, it just gives me a blank page..so I can't even check my last queries.

[+BudMan MVC]

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

[Mr. Gibs]

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

I know about dig -b, but I'm on Windows =( And my linux installation is on my desktop, which is well..back home lol.

Was hoping I could somehow use nslookup to try that, but it doesn't seem to offer a command similar to dig.

[+BudMan MVC]

You can run dig on windows ;) Just grab from ISC bind package, and install the tools

C:\Windows\System32>dig

; <<>> DiG 9.7.1-P2 <<>>

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20061

;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2

---

Hint2 hping is a great tool, and could also be used to send a dns packet with a forged source IP, just have to construct the data for the packet that contains the query you want.

[Mr. Gibs]

You can run dig on windows Just grab from ISC bind package, and install the tools

C:\Windows\System32>dig

; <<>> DiG 9.7.1-P2 <<>>

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20061

;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2

---

Hint2 hping is a great tool, and could also be used to send a dns packet with a forged source IP, just have to construct the data for the packet that contains the query you want.

Ah, I didn't know that. Thanks!

[+BudMan MVC]

BTW, that dnslast page is working -- there just needs to have been a query

But Im not going to send a query from the correct IP for you ;)

[Mr. Gibs]

BTW, that dnslast page is working -- there just needs to have been a query

Snipped

But Im not going to send a query from the correct IP for you ;)

Odd it works for me now, but it wasn't working when I first posted about it =/

Haven't made much headway though lol, probably just going to wait till I get back home so I can see what the packet dig/nslookup sends out using wireshark and then see if I can construct a spoofed one and use hping to send it out. Don't even know if thats going to work haha.

The other option, which I don't know will work either LOL, is IP aliasing. For some reason my 3g dongle won't let me add multiple IPs to the network adapter so when I try to use the dig -b command it just fails. Got to get back to a wired / proper wireless connection I guess lol.

This is kindoff out of my league, but hey a challenge is a challenge.

[lon3wol7]

I'm on level 21 on hax.tor (for those of you that don't know what it is, its like a security wargame site), and I'm completely stumped.

The problem is:

I've tried everything that I know, and I'm obviously forgetting / missing something but I can't figure out what for the life of me. I don't want any answers, so please don't post one. Just a nudge in the right direction / hint would be perfect.

Thanks!

- Sorry if this is in the wrong section.

Hi Razorfold

Can you please help me with level 7 , i'm totally lost. If you could maybe just push me in the right direction i'm going mad !!

It will be must appreciated.

Thanx

[hst]

Hint dig can be set to use a different source IP in the query.

The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

Hey Guys!

I'm on level 49 too and trying to do the query, but it wont work. I'm using dig, but when i try to use the -b option it says: "isc_socket_bind: address not available". Here is the query i have tried:

dig @dns.tor.hu -b 198.81.129.125 hst.tor.hu

Could you please give me a hint?

hst

[+BudMan MVC]

is that source IP on your interface ;)

Even if it is would the traffic go? You might have to generate the query using something like hping which allow you to generate dns queries as well.

The trick is not so much doing the query, the trick is making it look like it came from an IP that is not under control ;)

Have already given 2 tools that can create the query and allows you to set the source IP.. If I spell it out any more its like I did it myself, so not you really hacking anything now is it ;)

As a side note -- what can this kind of thing be used for?? You can get large amplification in generated traffic by spoofing dns queries.. Look that the bytes sent compared to the bytes returned -- so if you make the queries look like they came from somewhere else, the answers are sent to where it thinks it came from..

Now kids what do you use amplification of data size for??? Thats right Billy -- DOS ;) hehehe

[MasterGinyu]

I am hoping someone can give me a hint on lvl 3. For some reason I know its got to be something soo simple that I am just over looking the obvious.

[hst]

is that source IP on your interface ;)

Even if it is would the traffic go? You might have to generate the query using something like hping which allow you to generate dns queries as well.

The trick is not so much doing the query, the trick is making it look like it came from an IP that is not under control ;)

Have already given 2 tools that can create the query and allows you to set the source IP.. If I spell it out any more its like I did it myself, so not you really hacking anything now is it ;)

As a side note -- what can this kind of thing be used for?? You can get large amplification in generated traffic by spoofing dns queries.. Look that the bytes sent compared to the bytes returned -- so if you make the queries look like they came from somewhere else, the answers are sent to where it thinks it came from..

Now kids what do you use amplification of data size for??? Thats right Billy -- DOS ;) hehehe

Yes, i tried both of them, but i was lazy, so i tought i can do it with a single command... :) Now i'm learning how to build a fake dns query.

@MasterGinyu If you mean the real level 3 (not the warmup level), im not remember exactly what it is (and i cant view it), but since it's name is Recognize it should be some kind of hash. Paste the level here and i will give you some hint.

[MasterGinyu]

@MasterGinyu If you mean the real level 3 (not the warmup level), im not remember exactly what it is (and i cant view it), but since it's name is Recognize it should be some kind of hash. Paste the level here and i will give you some hint.

Yes the real level 3. Here is the info.

V m 0 w d 2 Q y U X l V W G x X Y T F w T 1 Z s Z G 9 W R m x 0 Z U V 0 W F J t e F Z V M j A 1 V j A x V 2 J E T l h h M k 0 x V j B a S 2 M y S k V U b G h o T W s w e F Z t c E d T M k 1 5 U 2 t W V W J H a G 9 U V 3 N 3 Z U Z a d G N F Z F R N b E p J V m 1 0 c 2 F W S n R h R z l V V m 1 o R F Z W W m F k R 0 5 G Z E Z S T l Z U V k p W b T E w Y T F k S F N r Z G p T R U p Y W V R G d 2 F G W k Z S U Q :)

[hst]

Yes the real level 3. Here is the info.

V m 0 w d 2 Q y U X l V W G x X Y T F w T 1 Z s Z G 9 W R m x 0 Z U V 0 W F J t e F Z V M j A 1 V j A x V 2 J E T l h h M k 0 x V j B a S 2 M y S k V U b G h o T W s w e F Z t c E d T M k 1 5 U 2 t W V W J H a G 9 U V 3 N 3 Z U Z a d G N F Z F R N b E p J V m 1 0 c 2 F W S n R h R z l V V m 1 o R F Z W W m F k R 0 5 G Z E Z S T l Z U V k p W b T E w Y T F k S F N r Z G p T R U p Y W V R G d 2 F G W k Z S U Q :)

Oh yeah, i remember now. :) First of all look at that link at the end of the text. It could be useful. After you read it you will know what to do with the spaces and how to decode the text. After decoding it your work isn't done. You have to recognize something. A hint for it, if you know what the russian matryoshka doll is, think about it (http://en.wikipedia.org/wiki/Matryoshka_doll). I hope it will help you.

[MasterGinyu]

Oh yeah, i remember now. :) First of all look at that link at the end of the text. It could be useful. After you read it you will know what to do with the spaces and how to decode the text. After decoding it your work isn't done. You have to recognize something. A hint for it, if you know what the russian matryoshka doll is, think about it (http://en.wikipedia.org/wiki/Matryoshka_doll). I hope it will help you.

Yeah i was on the right track in the beginning but that second hint really helped figure it out. I was off in left field for a while.

Thanks again.

[hst]

Yeah i was on the right track in the beginning but that second hint really helped figure it out. I was off in left field for a while.

Thanks again.

You are welcome, if you stuck again just ask and i will help you if i can.

[MasterGinyu]

You are welcome, if you stuck again just ask and i will help you if i can.

Yeah I am stuck on level 7 now. Its the one with the sniff log and you have to recover the password of the user "transaction". They link you to this site... http://www.securiteam.com/tools/6Q00I0UEUM.html. I tried reading the sniff in like wireshark but its not a compatible dump. My hunch is that I have to use the formula to decrypt from that site but seems like alot of math and conversions for such an early level.

[hst]

Yeah I am stuck on level 7 now. Its the one with the sniff log and you have to recover the password of the user "transaction". They link you to this site... http://www.securiteam.com/tools/6Q00I0UEUM.html. I tried reading the sniff in like wireshark but its not a compatible dump. My hunch is that I have to use the formula to decrypt from that site but seems like alot of math and conversions for such an early level.

I dont really know how to help in this without saying too much. If you have read that article (behind the link), you are know now what format is this log. Just search the web and you are going to figure it out.

[MasterGinyu]

I dont really know how to help in this without saying too much. If you have read that article (behind the link), you are know now what format is this log. Just search the web and you are going to figure it out.

Thanks for the continued help. I sent you a PM on the my next issue if that is ok.