HackThisSite ExtBasic Challenges Walkthrough Part 1

Continuing my plan of going to a hundred different CTFs, Challenges and War Games websites around to clean all their challenges once and for all, just for fun.

I’ve chosen HackThisSite as it was one of the first ones recommended by some friends. As expected I’ll be visiting the Extended Basic challenges this time Levels 1 to 5. Keep in mind that this is exactly what it is, basic, which means, they are very easy. Apart from that, I’m sure it will be loads of fun.

If you haven’t read my previous writeup articles, feel free to access them HERE.

Disclosure Alert:

The intention of each of my writeups is not giving away the solution, which would actually spoil the fun. My intention is to provide you with loads of information and the mindset used by attackers to find vulnerabilities.

Root-me.org has a very strict non-disclosure policy, and I’m trying my best not to violate them, therefore flags identified will always be redacted from my posts to encourage the reader to look for it by himself/herself.

Remember, always try to do solve it yourself first, try harder, read as much documentation about the problems as possible, talk to more experienced people, stress your mind out till you are (or think you are) completely out of ideas, doing otherwise would completely defeat the purpose of the challenge which is LEARNING. Only when you are out of ideas you should start looking for hints and writeups that could aid you in solving the problem. That’s what writeups are for, to help you think without giving you the answer. Writeups have to be considered a last resort.

Also remember that every writeup is different as different people have different backgrounds, therefore different ways to solve the same problem. Always try to find the solutions for yourself.

That being said, let’s go for the writeups.

Over and Over?

The challenge says:

“You have to give input to a C program which gives you the length of the string. How would you crash it? here is the function:”

It also gives us the function script:

Analyzing that code, it has a variable that is expecting a 200 long length value. So, it looks obvious that if we run the software providing it a 201 long value, it will crash.

I believe that just by passing the 201 long value in the input field may do the job, so let’s generate this value and use it in the field:

Et voilá. Challenge is done.

Extension Blocking

The challenge says:

“You have this function, provide the value which must be POST-ed as filename to obtain the desired results:
Get the source code of hackthissite.org/index.php
here is the function:”

It also gives us the function:

OK, so now we have to provide the value as the filename to obtain the desired results.  The PHP function “file_get_contents”, as PHP manual says, is used to read an entire file into a string.

I guess our job here is to try to read a local file, which is in “hackthissite.org/index.php”. So let’s include the following text in the field:

Et voilá.

Finda Fake 1

The challenge says:

“Oftentimes you will need to decipher a language which you can not find on google or is encrypted in some way
I have made up a language for you to decipher. What is the output of this program?”

It also gives us the output of the program:

Well, I guess no help from Google on this one. Also, I didn’t quite understand what I have to do here besides trying to decipher the made-up language, but it doesn’t look difficult at all.

First-line the author starts the application. Second-line a variable called “AS” is created. Third line a variable called “AS 0” is destroyed. The fourth line variable AS is recreated and applied T0 value to it. Once the variable was already initialized before with value 2, I guess it still has it. Another thing is that T0 was never initialized, therefore 2+0. Et voilá !!!

Finda Fake 2

The challenge says:

“Oftentimes you will need to decipher a language which you can not find on google or is encrypted in some way
I have made up a language for you to decipher. This is slightly harder. What is the output of this program?
This is a REAL language with REAL rules. This is practice for obfustication or encrypted functions.

{user types 6,7}

It also gives us the output of the program:

Well, this looks very similar to the previous challenge but this time we have a real language with real rules. I guess in this example we have to understand and use the value of “int” to solve it.

The author starts by beginning the program by giving it the name “f.ake”. The second line the author declares an integer variable called “var” that will be stored as “int”. The third-line declares a variable called “int”. The fourth-line outputs the sequence var and int.

I was puzzled, but after a while I realized I missed the information about being informed about the value of variables, which are 6 and 7. So as they are returned in order, the answer is simple. Voilá!

Fix the Script

The challenge says:

Notice: do not use sed -r. This only works for Linux. Instead, use sed -E.

Sam wants certain users to be able to run limited commands from a PHP page. He created a function called safeeval to run these commands. However, on one page he neglected to use safeeval and instead used eval(). Safeeval will fail if a command given should not run.
Sam then created a shell script to fix the error.

Sam’s uname is:
FreeBSD 6.9

The challenge also gives us the script:

It also gives us the script for FreeBSD:

It is clear that SAM did something wrong with the script so all we have to do is finding the error.

Analyzing the FreeBSD Shell Script we have the first command being “rm OK” which will basically delete any file named “OK”.

Second-line we have the command “sed”. The option “-E” is used to pass it a shell command which in this case is “s/eval/safeeval/”. After that we have “<” redirecting the content of file “exec.php” to the “sed” command. After that we have “>” which will redirect all output to file “tmp”. After that we have “&& touch OK”. This means that if the last command worked, the command “touch” will be used to create the file “OK”.

The “IF” loop says that as long as there is a file named “OK”, delete file “exec.php”, and if this command worked also rename file “tmp” to “exec.php”

Going back to the first “sed” command, I’ve noticed that SAM didn’t use the “/g” at the end of “sed”. Without it, only the first identified word will be changed, nothing more. By adding that to the line, we have our flag. Et voila!

I hope you liked this one. See you on part 2 of ExtBasic.