Challenge 5 - Break Me Down
Again, a Username and Password console. Except that this did not use the same credentials like the previous challenges.
From the page, there is an option to Upload a Txt file. This was my perhaps my clue. Problem here is, its hard to perform brute force of the site to search for hidden files or directories. Instead, i used a technique called Spidering or some may call it Web Crawling. For this level, i used Burpsuite to do my spidering. As expected, it managed to crawl through and found the hidden files and folders. (My colleague told me that he used a technique called 'Directory Traversal, which was by right the expected way of doing it..)
Next, i went straight to the first directory /uploadsAtria/
Then i went to /Atria
And finally the 'details.txt'. And yeap, JUICY!!! The password seemed to look like a form of hash. First thing that came up to my mind was PASSWORD/HASH CRACKING/DECRYPTING!!!
But in order for me to do that, i need to identify what type of hashing algorithm it was using. Thanks to this website, i pasted the hash and it gave me a list of possible algorithms.
Based on experience and with a collection of websites that do hash decryption or cracks, i load multiple sites and see which one will crack it for me. And yes! My collection of these online crackers did not fail me.
So with the Username from the 'details.txt' and the Password cracked from the website, crossed my fingers and click Login... Yeah Baby! Level 5 is down i repeat Level 5 is down!!!
Next stop - Level 6!
No comments:
Post a Comment