A fun hacking site

I came across this site – which tests someone’s l33t h4x0r1n6 skillz.

Well actually real hacking isn’t as simple (and neither am I saying that the site is a piece of cake – I gave up on level 15, with no intention to finish it anytime soon). But the site is good practice for the eye and mind, as it makes you think of the common simple solutions to sometimes complex-seeming problems.

Think if it as an IQ quiz, as it doesn’t measure how well versed you are with programming languages, but simply tests your skills on analysis.

[Give it a try][1]

I fired up notepad while I was solving the series of levels so I can post some clues here on my blog.

The site forbade the giving of solutions, so I will try my best to not “spoil” anything. Just to point people in the right direction.

And before everything else: GOOGLE IS YOUR FRIEND 😉

Of course, don’t spoil the experience by simply looking for the ANSWERS. What I did was I Thought about how to attack each problem – then researched a bit as to how I’d be able to implement my solution.

LEVEL01: No brainer

Check the disclaimer on the very first page for a clue. If you can’t figure that out, then you’re wasting your time.

LEVEL02: The birth of varibales

Know how variables are assigned and compared to get this.

LEVEL03: Know what you’re looking for

Dont assume the answer is always in the same “place” 😉 Furthermore, know how webcode references the browser API

LEVEL04: Plaintext?

For those people who are used to seeing URLs that look somewhat like: http://www.domain.com/words**%20**spaces.symbols**%20**and**%5**Bother**%20**go**%5D**-shit.htm Then you probably know what to do 😉

LEVEL05: Eliminate the noise

Two things: Whitespace and Array length

LEVEL06: Redirect hell!

Pretty straightforward, you just have to beat the redirect… somehow 😉

LEVEL07: Look at the files

If you were able to view 6, then you can also get 7 😉

LEVEL08: Curiosity killed the cat? Hell no!

If you get the solution, then you don’t even have to know the password (which is also the password btw.)

To get the solution, take a look at the URL… now if you were a curious surfer, what would you do? 😉

LEVEL09: Tedious

Say it with me now: Find and Replace! Hell, you proabably wont even have to do that if you want a challenge.

LEVEL10: Eyes of a hawk

If you were very meticulous about code syntax, you’d probably get this straight away.

This has a password by the way. But if you did it right, just like #8, you can probably bypass it altogether.

LEVEL11: Sneakers

This confused me too. I just tried a little common sense, since I didn’t intend to dive too much into the technicalities of arrays or string replacements. Suffice to say my “title” of this level (referring to the movie Sneakers) is appropriate 😉

LEVEL12: Tedious (part 2)

Stupid permutations! It’s a very brute-force type of puzzle.

LEVEL13: Call in the reinforcements

Most people would understandably stop here, since you’ll have to have 3rd party software to decompile stuff to get this. Is it really worth the time to install a decompiler just to answer this?

If you already have it installed however, then why not give it a shot? 😉

LEVEL 14: Vertigo

I must admit that this was already too complicated for me as they put in some routines that really made the code messy (like finding a needle in a haystack). They also implemented some rudimentary “encryption” on a string.

But everythings in there, so is the answer. If you pinpoint the function which “decrypts” (for lack of a better term) the user/password, you can add an alert(); call that displays via javascript the value of the said user/pass RIGHT AFTER it has been “decrypted” (before continuing on to the authentication routine

Level 15: ‘Twas good while it lasted

This is already at the level of normal, unsecure web authentication. I myself stopped here. I figured if I can figure this out, I’d probably be good enough to get into tons of unsecure sites. But alas, my skillz aren’t that l33t yet.

So there we have it 14 out of 16 solved. It was a fun ride =)

UPDATE: I NOW DID 15 and 16 (though I already cheated on the last)

Basically all you have to do is research how .htaccess is used – moreover the common directory structures (this is a biggie). Since it’s a hacking game, it will obviously have to use something people (who are familiar with web directory structures) can “guess.”

When you’re done finding the right “url” you’ll see the user:pass, but wait! the pass is encrypted. So you’ll have to check out what type of encryption was used (which will be apparent if you already got that far)

Level 16: Totally beyond me

The clue (and answer for all its worth) is this:

Cxitpla fxe hxemj xeg pxa gx cxort gpqc xmt,
keg mxa at aqoo bptbn qh fxe nmxa gpt bxoxezc.
Apsg bxoxez qc gpt ksbnlzxemj xh gpqc vslt?

[hint: translate answer into german]

Obviously this is something I can’t solve for the life of me. There is a site however that explains it in laymans terms: http://www.ebmb.org/mbs/mbs.php4?num=1065048590&thread=1065041070

The topic title itself is mind boggling: Cryptanalysis on a (monoalphabetic?) substitution The fuck!? So I’m not really ashamed of cheating, since I would’ve never found out how to solve it anyways.

So anyways, the test is done, and I cheated at the last part hahahaha.

Have a say

This site uses Akismet to reduce spam. Learn how your comment data is processed.