The HackBattle this year was themed ROTT (“Rampage of the trolls”) The infrastructure is courtesy of Azanuru Technologies. It was announced on various platforms on social media for people to participate in over a period of 4 weeks. This was testing key skills including The main aim was to help people understand how to develop a mindset against an adversary that is just as capable and is “excessively easy” to attack. In all seriousness this is the easiest Hackbattle 😀
The main trick though was figuring out that this was part of the “hacking team“ story that made headlines this year. This was the key thing to identify in order to come up with a proper threat model.
So on to the challenge.
Welcome Oh Yee Visitor, haveth yee eyes?
Landing on the site there is quite a wealth of information. Like the fact that the content is copied. from checking this content copied we get an idea of the scenario we are using so we look under the hood and see another IP listening “Scope increased“. We also notice that this IP is offensive running BeEF on the default URL meaning most probably credentials are on default :
Also seeing where content was copied from and how Pozzi was 0wned we get an idea that we could use this to trap the “hacker” on the other end using browser attacks and a tool has just been handed to us for free to do it. Let’s put this in our card box.
Well as tradition has it we get to see the robots.txt too.
Lesson 1: “I shall open my eyes , I shall not fail to view anything, I shall be OBSERVANT”
What’s in an engine ?
If you are a curious mind and love to see what people have it would be good to note that they render it differently. In this case chrome (Blink|Webkit) is idiot proof as it checks mime before rendering regardless of extension, Firefox (Gecko) well let’s just say it loves extensions while. Now trident engine well, let’s not go there.
It’s not just about the literal versus contextual browsers , notice the folders these tell us that there are hidden folders if at all, attack number 2 directory fuzzing find the pots of gold. Card 2 in hand.
Lesson 2: “Thou shall learn to understand different browser engines”
Thou shalt remember Lesson 1 (Hint 1)
Hints were given to make work easy and 2 major ones came through that people didn’t notice. A day after HB was released the first hint came in. A tool that actually did not break the bounds of the protection set on the server now that we have identified that :
- We are dealing with tech savvy people – They have a hooking instance running , they know some of their stuff.
- Tech savvy people make mistakes “Hack the Hackers” -Default Configuration on the hooks.
So for those who missed the give-web-head. Dirbuster would probably be the way to go based on what you saw in robots.txt. But again these are tech savvy people , so what’s the catch? . On it’s default it seems that it doesn’t get far. So lets make it human by changing the user agent to seem like a legit browser or something else and reduce the threads to 1 just like a regular user.
Notice the number of 403’s is annoying well, another fuzzing gotcha now this is why hint 1 was awesome you can modify it not to view 403’s to avoid the information overload otherwise this works if you just focus on the 200’s and redirects only too , again no true marking scheme for this but then **drumroll**, lesson below:
Lesson 3: “Thou Shall be patient in Fuzzing”
The web loves getting HEAD
For those who don’t burst doors but love giving the web head. well need more be said this is easier by far.