I started this game some days ago, but I hadn’t had time for writting about it. The web page is http://www.mod-x.co.uk and invite us to solve some challenges, the great thing about it is that has an increasing level. No more words and let’s go:
Level 1
Agent apok…
I am sorry you have had to go through the login procedure again, but it was the only way we could make a fresh start. We fear that our Mod-X systems were penetrated last week – possibly by one of our own. As you know, we take security very seriously and this is why we believe that only someone on the inside could have pulled a stunt like this.
Unfortunately, they were good – very good. We have very few traces of the break in, but we believe they got in through a Perl CGI hole. Since the break in, we have become aware that the Mod-X terminals have been passworded. We have no way of accessing the Mod-X systems without this password. However, we also noticed a message that was left by the intruder – it seems they want to play games with us. We need you to examine the message and see if you can find the password to the terminals. If you find it, submit it to us in your mission conclusion.
Good luck apok.
There is a link which take us to an “owned” web page:
As you can see there are some links, all of them give us definitions but the last one which show us a prompt asking for a password. Let’s check the source code:
There are two interesting things:
|
1 |
<center><A HREF="javascript:gothere();">Break the challenge and you will find your answer</a></center> |
As you can see the link is a launching a javascript function:
|
1 2 3 |
function gothere() { location.href='%47%21%23%23.php'; } |
If we try to access that web page we have the prompt asking us for a password, let’s check the source code, just put ahead of the link the magic words and do the magic:
|
1 |
view-source:http://www.mod-x.co.uk/G%21%23%23.php |
This is what we have:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<HTML> <HEAD> <TITLE>Null</TITLE> <SCRIPT> var string = "3be315jfnbcv7323fx"; var enigma = ""; var whatisthis = "var myxor = prompt('Password:','');for (y=1; y<5; y++) {enigma += (string.indexOf(y)+1);}enigma += 5;if (myxor==enigma){enigma = enigma + '.php';location.href=enigma;}else{location.href='hahaha.php';}"; eval(whatisthis); </SCRIPT> </HEAD> <BODY> </BODY> </HTML> |
This is interesting because they are using an eval as a way to somehow obfuscate the code:
The interesting part is:
|
1 2 3 4 5 6 7 |
... var whatisthis = "var myxor = prompt('Password:',''); ... if (myxor==enigma){ enigma = enigma + '.php'; location.href=enigma; } |
So let’s do it in the lazy way, I inserted an alert:
After execute it I got:
|
1 |
515105 |
That is the page where I’ll be redirected if I give them the correct password, so let’s check it:
The password is:
|
1 |
h0w_l4m3.r.y0u |
Ok, It’s correct, but it seems they are real hackers 😉 they are playing with us… but you know, why don’t enjoy it? after all…
now the real games can begin.
See you on level 2, until then.
P.S. if your curious about how the page name is gotten, the loop is looking for the position of the numbers from 1 to 5 into the variable string then it is found add one to the position (remember it is 0-based) finally it concatenates a 5 at the string ending.
No Comments Yet