Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Hackertest.net

Introduction

When checking my twitter-feed there was a tweet from @Bill_Matthews with a reference to this site. Because I like a challenge, I had to participate. Like always I write up my findings to not only learn from the experience, but also in the hope it can help others.

Location

http://www.hackertest.net/

Description

HackerTest.net is your own online hacker simulation.
With 20 levels that require different skills to get to another step of the game, this new real-life imitation will help you advance your security knowledge.
HackerTest.net will help you improve your JavaScript, PHP, HTML and graphic thinking in a fun way that will entertain any visitor!
Have a spare minute? Log on! Each level will provide you with a new, harder clue to find a way to get to another level.
Will you crack HackerTest.net?_

Level 1

level1
Checking the source code there is a script:
</script>
</head>
<body onLoad=password()>

var a is a string which will be accepted as the password. In this case ‘null’.

Level 2

level2
Again I find the answer in the source code.

To make no mistakes…..it says l3l, not 131

Level 3

level3.JPG
The answer is again in the source code.

pw = windows.document.alinkColor > alink = #000000

Level 4 + 5

level4.JPG
When I click the link it takes me to the level 5 (I guess level 4 is a present). But because I don’t have the right password it closes the page and brings me back to level 4 page. To solve this problem I copy the location from the hyperlink and use it with ‘view-source:’ in front of it. Like always the solution is in the source code.

Level 6

level6.JPG
Looking at the source code there is a js file named psswd.js. When I follow it, I get the answer of this riddle.

Level 7

level7.JPG
When looking at the source code the answer can be found in /images/included.gif.
level7-pwd

Level 8

level8
When looking at the source code it says:

But after looking down the code I found /phat.php. When following that file I got /images/phat.gif and when I viewed that file there was a remark about looking for a PhotoshopDocument. Instead of looking for /images/phat.gif, I looked for /images/phat.psd. After downloading the file and stripping all the layers, there was an username and password visible.
level8-hint2

Level 9

level9
The answer is found in the source code.

Level 10

level10.JPG
On the site there is a piece of text. I notice that there are some letters that are in italic.
When I make a string of these letters, I get ‘shackithalf’. This turns out to be the password to advance.
In the source code there is the part I need to get to level 11.

Level 11

level11
When viewing the souce code, I find the answer for the next level.

Level 12

level12.JPG
In the source code there is another picture. When looking closely at the picture, I can see the answer to next page. There is a clue about using graphic software. But that’s not needed.
level12-hint1.JPG

Level 13

level13
When viewing the source code, I notice images/lvl13.gif. When looking closely again, I get a clue.
level13-hint1

Level 14

level14
When viewing the source code there is a gif. To split the gif file I use https://www.gif-explode.com/
level14-hint2.JPG

Level 15 + 16

level15.JPG
level15-hint1

Following the directories, I get a broken jpg. After a hexdump I can see the answer.
level16-hint

Level 17

level17
In the source code there is a piece of code with the answer.

When I enter my IP address as password there is a piece of text with the answer for the next level.

Level 18

level18
Think like a n00b. Looking at http://www.hackertest.net/images/n00b.gif the hint was clear. The answer wasn’t in the source code either. To clear this level, you really have to think like a noob and try the password ‘password’.

Level 19

level19
When looking in the source code the answer is right there.

When I use gimp to read the gif file I get the answer for the next level.
level20-hint1

Level 20

level21
Looks like the first string is hex and the second one is base64 encoded. It requires time… be patient. The first line is decoded quickly.
level21-hint
After I decode the second line, I get another base64 encoded text. It takes me a few times before I get at the end.
level20-hint2
@Bill_Matthews pointed me out I missed something on this page. After looking closer I found the thing he was pointing out. You can read it in the source code, but it is also readable when selecting all text (CTRL+A).

After trying different options, I came out at http://www.hackertest.net/gb22332/ which tried to load http://www.hackertest.net/gb22332/login.php and resulted in an error 505.

Maybe a hint.

This lifts my spirit. A hint to ‘The Hitchhiker’s Guide to the Galaxy’?
In the source code there is a comment.

finish
the_end
 

Conclusion

 
Because I missed a crucial piece of the puzzle I thought this challenge was ending a bit odd. But after finding the missing piece, I finally could finish this challenge with a satisfying feeling.
To learn how to hack and execute pentesting, I would suggests some other (and in my opinion better) resources, but to really finish this challenge you definitely need the hacker mentality! Nonetheless I enjoyed this challenge.
Still there are some questions left unanswered. Like, what is the secret code for? Why was there a comment in the gif file containing a gmail address?
I let these questions to others who are interested in solving a peculiar puzzle. If you do find the answers…let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.