su2 :: software · texts · graphics · photography · uni · me · links

up
Level URL Login Password Description
1 level1.html - hackerzzz Look at the HTML source: "if (passwd =="hackerzzz") ..." That's it. Easy.
2 levvel2.html Try2Hack NokiaIsGood lamp_small # wget http://www.try2hack.nl/FlashLevel2.swf
# strings FlashLevel2.swf
There we see:
...
txtUsername
Try2Hack
txtPassword
NokiaIsGood
...
*yawn*
3 LLeVeLL3.html - TheCorrectAnswer # wget http://www.try2hack.nl/LLeVeLL3.html
Look at the source. There are two <SCRIPT> statements in the code. The first one is <SCRIPT src="JavaScript"></SCRIPT>. So we do
# wget http://www.try2hack.nl/JavaScript
Voila! This one contains the real values for "PASSWORD","CORRECTSITE" and "WRONGSITE". They're set before the fake values below, which of course do not fool us l33t h4x0rs ;-)
4 thelevel4.html Try2Hack AppletsAreEasy From the HTML source we know the Java applet is called "PasswdLevel4.class". So we do:
# wget http://www.try2hack.nl/PasswdLevel4.class
Decompile the binary with the "javap" tool from the JDK.
# javap -c PasswdLevel4 > PasswdLevel4.java
The code looks a bit strange but we see that in the inFile() method a seperate file is loaded. The name of the file is set in the init() method:
...
 489 ldc #15 <String "level4">
...
Because the codebase of the applet was http://www.try2hack.nl/ we do a
# wget http://www.try2hack.nl/level4
This file contains the URL for level 5 and the username/password:
5_level_5.html
Try2Hack
AppletsAreEasy
5 5_level_5.html Try2Hack OutOfInspiration First: Windows and VisualBasic suck! It took a long time until I felt motivated enough to boot Windows and continue Try2Hack. First I hoped that the progam tries to connect to a webserver again (like level 4) to obtain the username/password. No it doesn't. Then I tried a decompiler to see what the program does. But because the statement from the first sentence unfortunately also applies to VisualBasic decompilers it didn't work out.
Finally I found WinHex a tool which is able to read the memory of a program currently running. WinHex doesn't suck. You just start the level5.exe, enter a dummy value into the password field and press OK. Leave the program open and start WinHex. Run the "RAM Editor", choose our program, select "Entire memory" and search for the dummy value. Scroll down some pages and you'll find the password (It has to be it. It sounds like the correct password. Personally I would have used a password like "Sans Serif" or "VBRUN300.DLL" ;-) When entering this password you're given the URL for the next level.
6 l-e-v-e-l-6.html ? ? OMG! Another Visual Basic program... :-(


1grey

Copylight (cc) 2001-2006 Stephan Uhlmann. Last change: 2003-07-07
Verbatim copying and distribution are permitted, provided this notice is preserved.