| Level | URL | Login | Password | Description |
|---|---|---|---|---|
| 1 | level1.html | - | hackerzzz | Look at the HTML source: "if (passwd =="hackerzzz") ..." That's it. Easy. |
| 2 | levvel2.html | Try2Hack | NokiaIsGood |
# wget http://www.try2hack.nl/FlashLevel2.swf# strings FlashLevel2.swf There we see: ... txtUsername Try2Hack txtPassword NokiaIsGood ...*yawn* |
| 3 | LLeVeLL3.html | - | TheCorrectAnswer |
# wget http://www.try2hack.nl/LLeVeLL3.html Look at the source. There are two <SCRIPT> statements in the code. The first one is <SCRIPT src="JavaScript"></SCRIPT>. So we do # wget http://www.try2hack.nl/JavaScript Voila! This one contains the real values for "PASSWORD","CORRECTSITE" and "WRONGSITE". They're set before the fake values below, which of course do not fool us l33t h4x0rs ;-) |
| 4 | thelevel4.html | Try2Hack | AppletsAreEasy |
From the HTML source we know the Java applet is called "PasswdLevel4.class". So we do: # wget http://www.try2hack.nl/PasswdLevel4.class Decompile the binary with the "javap" tool from the JDK. # javap -c PasswdLevel4 > PasswdLevel4.java The code looks a bit strange but we see that in the inFile() method a seperate file is loaded. The name of the file is set in the init() method: ... 489 ldc #15 <String "level4"> ...Because the codebase of the applet was http://www.try2hack.nl/ we do a # wget http://www.try2hack.nl/level4 This file contains the URL for level 5 and the username/password: 5_level_5.html Try2Hack AppletsAreEasy |
| 5 | 5_level_5.html | Try2Hack | OutOfInspiration |
First: Windows and VisualBasic suck! It took a long time until I felt motivated
enough to boot Windows and continue Try2Hack. First I hoped that the progam tries
to connect to a webserver again (like level 4) to obtain the username/password.
No it doesn't.
Then I tried a decompiler to see what the program does. But because the
statement from the first sentence unfortunately also applies to VisualBasic
decompilers it didn't work out. Finally I found WinHex a tool which is able to read the memory of a program currently running. WinHex doesn't suck. You just start the level5.exe, enter a dummy value into the password field and press OK. Leave the program open and start WinHex. Run the "RAM Editor", choose our program, select "Entire memory" and search for the dummy value. Scroll down some pages and you'll find the password (It has to be it. It sounds like the correct password. Personally I would have used a password like "Sans Serif" or "VBRUN300.DLL" ;-) When entering this password you're given the URL for the next level. |
| 6 | l-e-v-e-l-6.html | ? | ? | OMG! Another Visual Basic program... :-( |
