18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Hackertest.net

5 years ago n0w4n

Introduction

When checking my twitter-feed there was a tweet from @Bill_Matthews with a reference to this site. Because I like a challenge, I had to participate. Like always I write up my findings to not only learn from the experience, but also in the hope it can help others.

Location

http://www.hackertest.net/

Description

HackerTest.net is your own online hacker simulation.
With 20 levels that require different skills to get to another step of the game, this new real-life imitation will help you advance your security knowledge.
HackerTest.net will help you improve your JavaScript, PHP, HTML and graphic thinking in a fun way that will entertain any visitor!
Have a spare minute? Log on! Each level will provide you with a new, harder clue to find a way to get to another level.
Will you crack HackerTest.net?_

Level 1

level1
Checking the source code there is a script:
</script>
</head>
<body onLoad=password()>

{
var a="null";
function check()
{
if (document.a.c.value == a)
{
document.location.href="http://www.hackertest.net/"+document.a.c.value+".htm";
}
else
{
alert ("Try again");
}
}
}

var a is a string which will be accepted as the password. In this case ‘null’.

Level 2

level2
Again I find the answer in the source code.

var pass, i;
pass=prompt("Please enter password!","");
if (pass=="l3l") {
window.location.href="http://www.hackertest.net/"+pass+".htm";
i=4;
}

To make no mistakes…..it says l3l, not 131

Level 3

level3.JPG
The answer is again in the source code.

</head>
<body onload=javascript:pass(); alink="#000000">
function pass()
{
var pw, Eingabe;
pw=window.document.alinkColor;
Eingabe=prompt ("Please enter password");
if (Eingabe==pw)
{
window.location.href=String.fromCharCode(97,98,114,97,101)+".htm";
}
else
{
alert("Try again");
}
}

pw = windows.document.alinkColor > alink = #000000

Level 4 + 5

level4.JPG
When I click the link it takes me to the level 5 (I guess level 4 is a present). But because I don’t have the right password it closes the page and brings me back to level 4 page. To solve this problem I copy the location from the hyperlink and use it with ‘view-source:’ in front of it. Like always the solution is in the source code.

var pass, i;
pass=prompt("Password: ","");
if (pass=="SAvE-as hELpS a lOt") {
window.location.href="save_as.htm";
i=4;
}else {alert("Try again");
window.location.href="abrae.htm";}
// -->

Level 6

level6.JPG
Looking at the source code there is a js file named psswd.js. When I follow it, I get the answer of this riddle.

<!--
var pass;
pass=prompt("Password:","");
if (pass=="hackertestz") {
window.location="included.htm";
}else
alert("Try again...");
//-->

Level 7

level7.JPG
When looking at the source code the answer can be found in /images/included.gif.
level7-pwd

Level 8

level8
When looking at the source code it says:

<!-- YOU'RE LOOKING IN THE WRONG PLACE... GO BACK! -->

But after looking down the code I found /phat.php. When following that file I got /images/phat.gif and when I viewed that file there was a remark about looking for a PhotoshopDocument. Instead of looking for /images/phat.gif, I looked for /images/phat.psd. After downloading the file and stripping all the layers, there was an username and password visible.
level8-hint2

Level 9

level9
The answer is found in the source code.

Password: Z2F6ZWJydWg= add a page extension to that
echo 'Z2F6ZWJydWg=' | base64 -d
gazebruh

Level 10

level10.JPG
On the site there is a piece of text. I notice that there are some letters that are in italic.
When I make a string of these letters, I get ‘shackithalf’. This turns out to be the password to advance.
In the source code there is the part I need to get to level 11.

<font color="#FFFFFF">Level 11: rofl.php</font>

Level 11

level11
When viewing the souce code, I find the answer for the next level.

<meta name="robots" content="goto: clipart.php">

Level 12

level12.JPG
In the source code there is another picture. When looking closely at the picture, I can see the answer to next page. There is a clue about using graphic software. But that’s not needed.
level12-hint1.JPG

Level 13

level13
When viewing the source code, I notice images/lvl13.gif. When looking closely again, I get a clue.
level13-hint1

<Data ss:Type="String">4xml.php</Data>

Level 14

level14
When viewing the source code there is a gif. To split the gif file I use https://www.gif-explode.com/
level14-hint2.JPG

Level 15 + 16

level15.JPG
level15-hint1

<!-- level 17: /images" -->

Following the directories, I get a broken jpg. After a hexdump I can see the answer.
level16-hint

Level 17

level17
In the source code there is a piece of code with the answer.

<font color="#FFFFFF">Password: your IP address</font><br>

When I enter my IP address as password there is a piece of text with the answer for the next level.

Warning: Cannot modify header information - headers already sent by (output started at /home3/jskenned/public_html/hackertest/unavailable/Ducky.php:12) in /home3/jskenned/public_html/hackertest/unavailable/Ducky.php on line 58
../level18.shtml

Level 18

level18
Think like a n00b. Looking at http://www.hackertest.net/images/n00b.gif the hint was clear. The answer wasn’t in the source code either. To clear this level, you really have to think like a noob and try the password ‘password’.

/level19.shtml << told ya to think like a n00b!!!

Level 19

level19
When looking in the source code the answer is right there.

<td width="100%" background="images/level20_pass.gif">

When I use gimp to read the gif file I get the answer for the next level.
level20-hint1

Level 20

level21
Looks like the first string is hex and the second one is base64 encoded. It requires time… be patient. The first line is decoded quickly.
level21-hint
After I decode the second line, I get another base64 encoded text. It takes me a few times before I get at the end.
level20-hint2
@Bill_Matthews pointed me out I missed something on this page. After looking closer I found the thing he was pointing out. You can read it in the source code, but it is also readable when selecting all text (CTRL+A).

 ^^^^^^^^^^ Change domain, add "22332" at the end, reach it and then get hold of ... ^^^^^^^^^^

After trying different options, I came out at http://www.hackertest.net/gb22332/ which tried to load http://www.hackertest.net/gb22332/login.php and resulted in an error 505.

Not Found
The requested URL /gb22332/login.php was not found on this server. 
Additionally, a 505 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Maybe a hint.

curl "http://www.hackertest.net/505/"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /505 was not found on this server.<P>
<P>Additionally, a 403 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>
curl -v "http://www.hackertest.net/505/"
* Trying 66.147.244.50...
* Connected to www.hackertest.net (66.147.244.50) port 80 (#0)
> GET /505 HTTP/1.1
> Host: www.hackertest.net
> User-Agent: curl/7.50.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.10.1
< Date: Sun, 28 Aug 2016 15:09:03 GMT
< Content-Type: text/html; charset=iso-8859-1
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: http://www.hackertest.net/505/
< X-Cacheable: YES
< X-Served-From-Cache: Yes
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.hackertest.net/505/">here</a>.</p>
<hr>
<address>Apache Server at www.hackertest.net Port 80</address>
</body></html>
* Connection #0 to host www.hackertest.net left intact
http://hackertest.net/505/403/
What is the answer to life, the universe, and everything?

This lifts my spirit. A hint to ‘The Hitchhiker’s Guide to the Galaxy’?
In the source code there is a comment.

<!-- Add a file extension to that -->
http://hackertest.net/505/403/42.php --> nothing
http://hackertest.net/505/42.php --> nothing
http://hackertest.net/42.php

finish
the_end
 

Conclusion

 
Because I missed a crucial piece of the puzzle I thought this challenge was ending a bit odd. But after finding the missing piece, I finally could finish this challenge with a satisfying feeling.
To learn how to hack and execute pentesting, I would suggests some other (and in my opinion better) resources, but to really finish this challenge you definitely need the hacker mentality! Nonetheless I enjoyed this challenge.
Still there are some questions left unanswered. Like, what is the secret code for? Why was there a comment in the gif file containing a gmail address?
I let these questions to others who are interested in solving a peculiar puzzle. If you do find the answers…let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.