Hacker Test is an online hacker simulation. 20 levels to test your PHP, HTML and Javascript knowledge. Below the solution of the first ten.

Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.

Level 1

In the source code we can see the following JavaScript lines:

var a="null";

function check()
{
  if (document.a.c.value == a) {
    document.location.href="http://www.hackertest.net/"+document.a.c.value+".htm";
  } else {
    alert ("Try again");
  }
}

The value of the password input named c is compared with the variable a, which has a null value. This is the password: null

...

I recently worked with a well known web agency in France. They have a good reputation, they were rewarded last year for their good works and they are in the top 40 of the best french agencies. 

However I was terribly surprised to find many basic errors/misconfiguration on their own site: error_reporting enable,  SQL injection and finally a “private” admin section reachable with a simple couple of demo/demo as credentials…

Such vulnerability can be dangerous when using common login/password and it can be even deadly if the discovered user has high privileges. It was true in this situation: mail contact, articles, resumes, photos everything was alterable.

Below the good practice to create a strong password.

The rules

  • must be at least 8 characters
  • must be different than your previous password
  • must NOT be related to your username
  • must NOT contain any recognizable word
...

While performing a pentest the information gathering phase is the most important, it’s the key of a successful test. The DNS is very great source of informations, whith some simple queries you will be able to grab usefull datas about the domain you are targeting. The host command is a very powerful DNS lookup utility which is present in all Linux distribution.

For the examples, I will use a domain which allows that kind of query at this moment.

Basic usage

As the man says, host is normally used to convert names to IP addresses and vice versa:

DNS enumeration host basic

If the domain doesn’t exist, you will meet that message: Host pmolkijn.de not found: 3(NXDOMAIN)

If the ip doesn’t point anywhere, you will get this message: Host 91.121.139.2 not found: 3(NXDOMAIN)

...

Weevely is a PHP command line web shell usually used as a backdoor while performing the post exploitation phase of a penetration test. By default in Kali Linux, the installed version 1.1 isn’t supported anymore but version 3 is available on GitHub.

Generate the backdoor:

weevely generate.<mode> <password> <path>

The password is optionnal but it’s important to protect your customer from other users because an unwanted access can easily lead to a full access on the server with privileges escalation. There is three kinds of backdoor available but this functionnality seems to have been removed in version 3.

  • htaccess: a single .htaccess file is created containing the malicious code and the right Apache directive so that all .htaccess files are considered as regular PHP script
  • img: giving an existing image, Weevely will concatenate the binary datas and the malicious code, plus it also creates an .htaccess to tell Apache that the image should be considered as a regular PHP script (that means both files should be uploaded on the target server)
  • php: this is the default, a single PHP script is generated
...

Recently reported by Claudio Viviani, there is an SQL Injection available in this plugin who has been downloaded more than 100k. Developped by Apptha (again), the current version 2.7 still vulnerable and downloadable from the official Wordpress Plugin Directory.

The hole comes from the lack of filter on the GET parameter vid in /wp-content/plugins/contus-video-gallery/videogalleryrss.php (the plugin must be enable to perform the injection):

case 'video':
  $thumbImageorder = 'w.vid ASC';
  $vid             = filter_input(INPUT_GET,'vid');
  $where           = 'AND w.vid ='.$vid;
  $TypeOFvideos    = $contusOBJ->home_thumbdata( $thumbImageorder , $where , $dataLimit );
break;

Since there is no filter specified when calling filter_input, the default value is used which is unsafe_raw. According to the PHP documentation, FILTER_UNSAFE_RAW deletes chars under 32 and over 127 and converts & to &amp;.

...