Dictionary attack

Well Phrodom good for you. There is a much simpler way but that’s what this site is all about. All the different ways to pass a level. It’s the same in the real world too. More than on way to do a hack. :)

Ahahaha yeah i know, i passed it the simpler way, i did this just for practice :P
As I already knew the username and password, I was able to verify my answer while I was testing my code.

if your C# program work , can you share it on tool section? eheh :p

Sure but it actually only work for the hash encryption of the “real level 3”. Could be usefull tough.

Is the above code only for Real Level 3 and thanks for sharing this @Phrodom

just a hint :) (before i sleep).

work on the math of the hash encryption. BIG HINT: >> BASE 7!! MUHAHA XD

@tlotr, same answer as in the other post ;)
@midnightclub2, I made a revert algo but It takes a long time because you can always have more then 1 solution for each hash. Trying all is hard in this case. Using a dictionnary attack you only get the good words.

All you have to do is read the source code on the level. If you copy the link address to the Login Page you get this:
https://www.hackthis.co.uk/levels/extras/real/3/login.htm
Okay so what to do next? Read the source code it tells you a lot.
Going to put this in a spoiler, so if you don’t want to read it then don’t.

Scroll down and you will see;

So they are using javascript eh?
So click it and see what happens? Because when you click the link you get:

m[m.length]=new Array(“66913”,“78323683”,“Ksrg”,“/oiAguA/ykdp/8?rF=xhyvAttm”);
m[m.length]=new Array(“644543”,“859223813”,“Krteb”,“/ohCeux/rlho/6?ww=wjwzohhw”);
m[m.length]=new Array(“16130”,“78323683”,“Osqqrxz”,“kxyr://FED.mrslnn.kvs”);

Well how does this help? “I hear you ask”. Well it tells me that they are using a link to a javescript file: login.js

So once again look at the source of the login.html file we see this:
if(f.length==0) { alert(“Member Not Found”); return; };

You also see this:

So they are looking for ‘mem’? So I tried: https://www.hackthis.co.uk/levels/extras/real/3/mem.js
No thats a 404 error.

Next tried this where it says Member Not Found. So lets try member.
So I tried:
https://www.hackthis.co.uk/levels/extras/real/3/member.js
No thats a 404 error too..

Next I tried:
https://www.hackthis.co.uk/levels/extras/real/3/members.js
and guess what I get??

m[m.length]=new Array(“”,“”,“”,“/levels/real/3?pw=”);
m[m.length]=new Array(“”,“”,“”,“/levels/real/3?pw=”);
m[m.length]=new Array(“”,“*”,“**”,“http://www.google.com”);

So all I needed to do was try the one after the other until one worked.

That’s how I did the level. :)

P.S. If this is a bit too close to giving it away then moderator or flabby please remove it all. :)

Yop, that’s pretty much how I did it to! Then I came back I tried to make a dictionnary attack algo :P and I managed to make one so I am proud :P
I finished all the levels except the last 2 crypt level so I am trying other way to do those kind of levels :P

That’s cool Phrodom good for you and ‘yes’ be proud at least you are trying different things and most of all ‘Learning’ Not like some who only want the answers. More power to you mate! :)

Ahaha thanks, you too mate!

I have a server at home so the more I know how to hack, the least chance I get hacked :P

ah nice guessing there :) unfortunately i went to decrypting the hash instead :/

But that itself wasnt too difficult actually, its more or less just math :) dictionary attack/ brute force is probably OP imo

1. write the recurrence relation for the var hash.
2. since you know the mult, you can write out the eventual hash as f(n) + g(n, x1, x2, x3, … , xn)
   The functions f and g and x1, x2, … , xn are for you to work out, though feel free to pm me if you want some hints
3. eventually, you will realise that function g has a trivial solution –> thats where my base 7 (for username) hint from my previous post comes from :)
4. as a result, i was able to construct one of the solutions using from the letters a to g for username (since its base 7 remember?)
5. from that solution, you can easily generate more solutions, but thats unnecessary for this level.

edit: all these can be done using pen, paper, and a decent scientific calculater :)

Would like to know what other decryption methods you guys have :)

I am not sure that i understand your solution but it seems really brilliant. Can you PM me the solution more detailed?

This is my reverse for username Hash algo. I think it’s similar to your solution:

```
public static String reverseHash(int hash)
{
String line = “”;
String alpha = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghij”;
int tmp = 0, i = 0;
if (hash < 0)
return line;
else if (hash > 0)
{
do
{
tmp = hash - (alpha.IndexOf(alpha[i])) - 1;
i++;
} while (tmp % 7 != 0);

            line += alpha[i-1];  
            return (reverseHash(tmp / 7) + line);  
        }  

        return line;  
    }```  

I do not take all creds for this code, it’s my friend who found the basic of the Idea, I just corrected the errors in his algo.

hey Phrodom, from the looks of this line tmp % 7 != 0, yeah i think we are using the same concept :)
just that i start from a basic solution and build up, whereas you can generate all in one go with the program :)

Yep exactly but in my actual solution, I

get the first result only witch looked something like “eefjg” from “66913” (may not be exact, it’s from memory) and my goal was to find exactly “Admin” so I figured that using a dictionnary attack instead would give me only the human words possibilities (“Admin” included in all the possibilities). I also did an algo that call this one until I get all possible results and I found waayyyyyyy to many possibilities juste for “66913” so imagine “644543” and “859223813” :P

@Phrodom: Please don’t be too specific about username / password. I mean, don’t write it down.

im not sure, but in real life, people may not put dictionary words as passwords, and there comes the brute force (oh gawd, but from a refined set of possibilities :D ).

@freewind1012 true! Thanks! I wasn’t sure about the “spoiler” tag. I found it :P

@midnightclub2 In real life, 99% of the people uses passwords easy to find by knowing a little of them (like NameDDMM, or Name666, etc.) so with a good dictionnary and a good algo (John the ripper) you can find almost everytime. The 1% of the people left are well protected because the most of the time, there is always a easeyer flaw than the password. For exemple, I went to a shop today, and I noticed that there is a key lock on the automatic door that seems pretty secure. But then I figured that if I really wanted to enter the shop, why botter pick locking the lock when I could just throw something in the big window of the automatic door! :P

Ok guys shouldn’t one of these threads be closed!

I was wondering where I should post this: here or there. Because it relates to Real Level 3 so…

@Phrodom: Instead of brute-forcing from a dictionary, I found another programming method to solve this level long time ago. I was too lazy to convert it to another versions (JavaScript / PHP…). Check it out.

freewind: just a question: what is the purpose of

[quote=author]
(let [link “kwAp://FBw.ohfnAhrx.cv.Bn/olvnqs/ya.skw?pF=xhllsuBln”
hash (get-hash 9 link “http://www.hackthis”)]
(decrypt-link link hash))

(let [link “kxyr://FED.mrslnn.kvs”
hash (get-hash 8 link “http://www.go”)]
(decrypt-link link hash))[/quote]

at the end of the code?

In the real level 3, when you look at the javascript “check” method, after it hash what you give as username and password and compare if it’s the same as they have, it get trough an algo that decrypt (based on what you give) the link saved in m[][]. I think that what this does is that it first bruteforce the usernames and passwords and then decrypt the link directly instead of bruteforce the username and password and put it in the site of real level 3. I did not test it but i am pretty sure that you can pass the level by just going directly to the link in m[][].

@Phrodom: Your guess is right. After submitting username and password, we will be redirected to another page with a parameter in the URL. HackThis!! uses this convenience to decide if you can pass the level. Therefore, if you figure out the right URL, you can access to it directly to complete Real Level 3.

i like this discussion :) isnt this a great community?

Yep really! It’s really instructive!

@midnightclub2: The programmer was trying to decrypt some encrypted URLs with his assumptions. According to his code:

kxyr://FED.mrslnn.kvs is an URL which begins with http://www.go[/spoiler]
[spoiler]kwAp://FBw.ohfnAhrx.cv.Bn/olvnqs/ya.skw?pF=xhllsuBln is an URL which begins with http://www.hackthis

If he decrypted the second URL right, he could type it in the URL bar, hit enter and complete the level.