Application 3 **BROKEN**

[nexo]

I think you know better than me what you are doing, but just changing that byte in that offset rendered my app unusable, it wont start (im running it through wine, that might be an issue...). What you say may explain why theres a null char at the end of the GET string (reading one byte too many), that null gets in between the end of the hardcoded string and the value entered as a S/N. What i actually did is to add a "1" following the "=" at the end of the hardcoded string, that way i stoped having bad responses (it could have been any valid char, i liked 1). I didnt decompile it so i dont actually know how it works.

Byte 166204 is the read length. Reduce it by one (0x2D - 0x01 = 0x2C). Hell, try changing the length and input data at the end of the string in the binary...

Well, thats nice (saw the laugh). I dont know why it didnt work for me, just changing an integer shouldnt turn my app unusable. I think i did something wrong...

[conscience]

Okay, so the application is broken. However, it is easy to fix, thanks mainly to occamsrzr who pointed out that tiny bit of editing that fixes up the null-character problem.
@nexo: It does so indeed. Give it a round of wireshark to see it yourself.
(It is however not about the length of the string, but a wrong starting offset)

The other bug is the Host HTTP header value sent being incorrect. Since you have plenty of space where you need to edit... Make a guess! You only have to add a few characters

Now that you have verified your app is responding as it should, you can, at your pleasure, set up your whatever to make the application receive the answer it expects.

I hope I didn't spoil anything; my goal was only to help others fix the bugs so they can complete the challenge without any impediments.

[LeDesassembleur]

thanks conscience : it has helped me. I was blocked until I read your post.

[Percival]

This mission was so much fun. I finally completed it and couldn't have done it without these great hints.
Thank you guys

[amardeep234]

2nd FIX:

So the 2nd the issue is actually a bad redirect, it doesn't seem to redirect to the A record "www" correctly. Anyway it can easily bypassed by giving a totally bad HOST and HTS ignores it.

I.e. this is good enough: "HOST: hts_admin_nooobs" and as you see a 200 OK response


So the 2 fixes for this application:

1. at offset 166204, change read position from 0x2D to 0x2C
2. at offset 166277, replace "hackthissite.org" with "hts_admin_nooobs"

[Guslarz]

Call me a weirdo, but usually I like taking a long way.

Without changing any code, I just moved all my network traffic through custom proxy where i put listener, and on request I sent my custom php.

It took me a while, but it was fun .

[luckily]

"1. at offset 166204, change read position from 0x2D to 0x2C" Is the only fix it needed.

Vim lets you edit hex, I love it.

load as binary:
vim -b binary.exe
go into hex mode:
:%!xxd

reverse back into binary before saving
:%!xxd -r
save and quit
:wq

Solved this one with local dns spoofing and running an apache server.
tools:
dnsmasq
apache2

[Faithe25]

Alright fellas,

I've found the culprit. It is indeed an HTTP GET Request that includes a null character between the php var and the value.

Put simply, one too many bytes is copied from the binary to memory. Here's your fix:

Open the binary in a Hex editor. Change the value of the byte at offset 166204 from 0x2D to 0x2C.

The correct solution will now work. But just be aware, if there is an indication that the pw was wrong, I haven't found it, mostly because I don't care to go looking.

If anyone is still having issues with this challenge, then try this fix. After implementing this fix I was able to finish the challenge in about 30 seconds. Thank you occamsrzr!

[Starman11]

I'm still stuck on this challenge, I've fixed the reading data problem, but I'm not sure of what to do next. Also, why is the hosts file useful in this mission? I tried entering a value for the key in the hex editor and using it to authenticate the program, but it didn't work, am I on the right track?

Oh never mind, I got it!

[SemperFind]

This one made me suffer way too much for how easy it was xD

The annoying part was fixing the app so it would connect. (Wireshark helped)

After that, it was just flipping a switch. All I needed was a hex editor.