Hackertest.net
Introduction
When checking my twitter-feed there was a tweet from @Bill_Matthews with a reference to this site. Because I like a challenge, I had to participate. Like always I write up my findings to not only learn from the experience, but also in the hope it can help others.
Location
http://www.hackertest.net/
Description
HackerTest.net is your own online hacker simulation.
With 20 levels that require different skills to get to another step of the game, this new real-life imitation will help you advance your security knowledge.
HackerTest.net will help you improve your JavaScript, PHP, HTML and graphic thinking in a fun way that will entertain any visitor!
Have a spare minute? Log on! Each level will provide you with a new, harder clue to find a way to get to another level.
Will you crack HackerTest.net?_
Level 1
Checking the source code there is a script:
</script>
</head>
<body onLoad=password()>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
{ var a="null"; function check() { if (document.a.c.value == a) { document.location.href="http://www.hackertest.net/"+document.a.c.value+".htm"; } else { alert ("Try again"); } } } |
var a is a string which will be accepted as the password. In this case ‘null’.
Level 2
Again I find the answer in the source code.
1 2 3 4 5 6 |
var pass, i; pass=prompt("Please enter password!",""); if (pass=="l3l") { window.location.href="http://www.hackertest.net/"+pass+".htm"; i=4; } |
To make no mistakes…..it says l3l, not 131
Level 3
The answer is again in the source code.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
</head> <body onload=javascript:pass(); alink="#000000"> function pass() { var pw, Eingabe; pw=window.document.alinkColor; Eingabe=prompt ("Please enter password"); if (Eingabe==pw) { window.location.href=String.fromCharCode(97,98,114,97,101)+".htm"; } else { alert("Try again"); } } |
pw = windows.document.alinkColor > alink = #000000
Level 4 + 5
When I click the link it takes me to the level 5 (I guess level 4 is a present). But because I don’t have the right password it closes the page and brings me back to level 4 page. To solve this problem I copy the location from the hyperlink and use it with ‘view-source:’ in front of it. Like always the solution is in the source code.
1 2 3 4 5 6 7 8 |
var pass, i; pass=prompt("Password: ",""); if (pass=="SAvE-as hELpS a lOt") { window.location.href="save_as.htm"; i=4; }else {alert("Try again"); window.location.href="abrae.htm";} // --> |
Level 6
Looking at the source code there is a js file named psswd.js. When I follow it, I get the answer of this riddle.
1 2 3 4 5 6 7 8 |
<!-- var pass; pass=prompt("Password:",""); if (pass=="hackertestz") { window.location="included.htm"; }else alert("Try again..."); //--> |
Level 7
When looking at the source code the answer can be found in /images/included.gif.
Level 8
When looking at the source code it says:
1 |
<span class="comment"><!-- YOU'RE LOOKING IN THE WRONG PLACE... GO BACK! --></span> |
But after looking down the code I found /phat.php. When following that file I got /images/phat.gif and when I viewed that file there was a remark about looking for a PhotoshopDocument. Instead of looking for /images/phat.gif, I looked for /images/phat.psd. After downloading the file and stripping all the layers, there was an username and password visible.
Level 9
The answer is found in the source code.
1 |
Password: Z2F6ZWJydWg= add a page extension to that |
1 2 |
echo 'Z2F6ZWJydWg=' | base64 -d gazebruh |
Level 10
On the site there is a piece of text. I notice that there are some letters that are in italic.
When I make a string of these letters, I get ‘shackithalf’. This turns out to be the password to advance.
In the source code there is the part I need to get to level 11.
1 |
<<span class="start-tag">font</span> <span class="attribute-name">color</span>="<a class="attribute-value">#FFFFFF</a>">Level 11: rofl.php</<span class="end-tag">font</span>> |
Level 11
When viewing the souce code, I find the answer for the next level.
1 |
<<span class="start-tag">meta</span> <span class="attribute-name">name</span>="<a class="attribute-value">robots</a>" <span class="attribute-name">content</span>="<a class="attribute-value">goto: clipart.php</a>"> |
Level 12
In the source code there is another picture. When looking closely at the picture, I can see the answer to next page. There is a clue about using graphic software. But that’s not needed.
Level 13
When viewing the source code, I notice images/lvl13.gif. When looking closely again, I get a clue.
1 |
<Data ss:Type="String">4xml.php</Data> |
Level 14
When viewing the source code there is a gif. To split the gif file I use https://www.gif-explode.com/
Level 15 + 16
1 |
<!-- level 17: /images" --> |
Following the directories, I get a broken jpg. After a hexdump I can see the answer.
Level 17
In the source code there is a piece of code with the answer.
1 |
<font color="#FFFFFF">Password: your IP address</font><br> |
When I enter my IP address as password there is a piece of text with the answer for the next level.
1 2 |
Warning: Cannot modify header information - headers already sent by (output started at /home3/jskenned/public_html/hackertest/unavailable/Ducky.php:12) in /home3/jskenned/public_html/hackertest/unavailable/Ducky.php on line 58 ../level18.shtml |
Level 18
Think like a n00b. Looking at http://www.hackertest.net/images/n00b.gif the hint was clear. The answer wasn’t in the source code either. To clear this level, you really have to think like a noob and try the password ‘password’.
1 |
/level19.shtml << told ya to think like a n00b!!! |
Level 19
When looking in the source code the answer is right there.
1 |
<td width="100%" background="images/level20_pass.gif"> |
When I use gimp to read the gif file I get the answer for the next level.
Level 20
Looks like the first string is hex and the second one is base64 encoded. It requires time… be patient. The first line is decoded quickly.
After I decode the second line, I get another base64 encoded text. It takes me a few times before I get at the end.
@Bill_Matthews pointed me out I missed something on this page. After looking closer I found the thing he was pointing out. You can read it in the source code, but it is also readable when selecting all text (CTRL+A).
1 |
^^^^^^^^^^ Change domain, add "22332" at the end, reach it and then get hold of ... ^^^^^^^^^^ |
After trying different options, I came out at http://www.hackertest.net/gb22332/ which tried to load http://www.hackertest.net/gb22332/login.php and resulted in an error 505.
1 2 3 |
Not Found The requested URL /gb22332/login.php was not found on this server. Additionally, a 505 Not Found error was encountered while trying to use an ErrorDocument to handle the request. |
Maybe a hint.
1 2 3 4 5 6 7 8 9 10 |
curl "http://www.hackertest.net/505/" <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /505 was not found on this server.<P> <P>Additionally, a 403 Not Found error was encountered while trying to use an ErrorDocument to handle the request. </BODY></HTML> |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
curl -v "http://www.hackertest.net/505/" * Trying 66.147.244.50... * Connected to www.hackertest.net (66.147.244.50) port 80 (#0) > GET /505 HTTP/1.1 > Host: www.hackertest.net > User-Agent: curl/7.50.1 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: nginx/1.10.1 < Date: Sun, 28 Aug 2016 15:09:03 GMT < Content-Type: text/html; charset=iso-8859-1 < Transfer-Encoding: chunked < Connection: keep-alive < Location: http://www.hackertest.net/505/ < X-Cacheable: YES < X-Served-From-Cache: Yes < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.hackertest.net/505/">here</a>.</p> <hr> <address>Apache Server at www.hackertest.net Port 80</address> </body></html> * Connection #0 to host www.hackertest.net left intact |
1 |
http://hackertest.net/505/403/ |
1 |
What is the answer to life, the universe, and everything? |
This lifts my spirit. A hint to ‘The Hitchhiker’s Guide to the Galaxy’?
In the source code there is a comment.
1 |
<!-- Add a file extension to that --> |
1 2 3 |
http://hackertest.net/505/403/42.php --> nothing http://hackertest.net/505/42.php --> nothing http://hackertest.net/42.php |
Conclusion
Because I missed a crucial piece of the puzzle I thought this challenge was ending a bit odd. But after finding the missing piece, I finally could finish this challenge with a satisfying feeling.
To learn how to hack and execute pentesting, I would suggests some other (and in my opinion better) resources, but to really finish this challenge you definitely need the hacker mentality! Nonetheless I enjoyed this challenge.
Still there are some questions left unanswered. Like, what is the secret code for? Why was there a comment in the gif file containing a gmail address?
I let these questions to others who are interested in solving a peculiar puzzle. If you do find the answers…let me know.