Today we’re going to be looking at another web based wargame. The wargame we’ll look at is the first level of the Damo Web Security Challenges. These challenges can be found at the damo site here. To get started, head over the the first challenge page here.
Reading the page, we can see there is a Hall of Fame page which we are supposed to put our name on. There is also a link with the text ‘admin’. If we click on the admin link, we get prompted for a username/password in a fashion that looks like .htaccess/.htpasswd. Next, if we click on the Hall of Fame link, we can see it makes use of index.php?page=halloffame. This should signify that a page is included based on the page variable, something we can leverage.
To leverage, let’s try to read the .htaccess and .htpasswd files for the admin directory. To do so, lets change the url to index.php?page=admin/.htaccess Once we do, we see an error. This error shows us the the page is trying to include “admin/.htaccess.php”. Since we didn’t add the .php, we can assume it’s added by the script. To get around that, we can add %00 (NULL) to the end of the URL, which will cause the subsequent calls which evaluate the page variable to stop reading the string when the null is reached. Upon loading the page again with the null appended to the end of the URL we see the entry of .htaccess for the admin directory. This entry refers to the .htpasswd file to be used for the directory. If we go look at it, we should be able to get a username/password to crack. So let’s redirect our URL again to index.php?page=../hiddenfoldersch1/.htpasswd%00
The page now shows the entry in the .htpasswd file; A username and password for the admin directory. However, the password still needs to be cracked. So, let’s put the password into John The Ripper. After a few seconds, the password is cracked and a username and password combo are ready to be used to access the admin directory.
Now we can enter the username/password on the admin directory and add our name to the Hall of Fame. Hooray!
So What?
Includes are risky, at worst one should white list them, at best, don’t directly do includes on user supplied data. Watch out for null bytes prematurely terminating user supplied strings. Use strong passwords and hashing algorithms.