Solving ESET’s Pentest Challenges

John Troon
Jun 10 · 5 min read

I stumbled upon pentest.join.eset.com while running a Pentest Training a couple of months ago. I find the challenges friendly to anyone trying to dive into penetration testing. Herein, are the challenges and how I tried to solve them. Comments and other (better) ways of solving the challenges are welcome :)

1. Leaked password

We received a report that there are leaking information, the server is sending out the passwords. There is nothing in the HTML code of page. Send us the username and leaked password.

How I solved it:

For this challenge, I intercepted the traffic via Burp-suite Proxy, and forwarded the GET request to the Repeater tab.

Request Intercept

Under Repeater, I tried changing the protocol from HTTPS to HTTP but I got a redirection back to HTTPS.

Redirection to HTTPS

I followed the request back to the original HTTPS and I found an Authorization Header — a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic followed by a space and a base64-encoded
string username:password. Username is “pentest1” and Password “kTN7ceJU8k” without the double quotes. You can also select the Base64 encoded string and forward it to the Decoder tab where you can use Base64 option for decoding the string.

Basic Authentication

2. Hidden files

The administrator stores a backup of important data into a file and downloads it to his computer. The file is protected by having a very long name (more than 100 random characters). Such a long password cannot be guessed by brute force in short time. Administrator took precautions against robots and forbid to include the file in search results. Send us backed up password.

How I solved it:

Directly accessing the robots.txt file on the root of the website, provided us with a directory named ‘/bak’ with the zip-file names.

Backup files

3. Hidden form

If the administrator wants to manipulate the content of this site, she must log in. Can you find what URL she uses? Send us the URL. Note — the login form is not real, the entered values are not processed.

How I solved it:

I manually tried to append key words against the base URL (https://pentest.join.eset.com/) and without trying too hard, ‘admin’ presented a login form : https://pentest.join.eset.com/admin

admin login page

If my initial attempts to manually bruteforce for the login page had failed, I would have tried to automate the process using a tool like admin_panel_sniffer

admin page found through brute-forcing

4. Word / PDF document

Read the application manual (can be downloaded from here) and send us login credentials that could be valid for application login.

How I solved it:

Opening the file and checking the properties, we can tell the person who created the document.

Document properties (using LibreOffice)

Since it’s signed by admin, we can say the usernames Petr Hromada and Pavol Bondra are associated with the user ‘admin’.
Username — pavol.bondra
Password — 1234567890

If it fails, I would also try:
Username — petr.hromada
Password — 1234567890

5. DNS discovery

This server has other DNS names than pentest.join.eset.com. Which are they? Send us the list of the names and where did you find them.

How I solved it:

DNS Enumeration

I usually make use of https://dnsdumpster.com/ as well, it is pretty neat and straightforward :)

6. JS reversing

Reverse engineer the JavaScript code for the login form.

How I solved it:

This is an interesting one. we are presented with a login form and we have to find a legit username and password. A quick random username/password (admin/admin) pops up a message alert box.

Alert message for invalid username

From the challenge, it’s JS reversing. So it must be a JavaScript (JS) code checking this credentials. Also, learn to pay attention, notice the alert message says, ‘invalid username!’. So does it mean whatever happened/logic, didn’t even go further to check the password we supplied?

Checking the source code for the web page (CTRL + SHIFT + i) under Chrome or Firefox f, it reveals an interesting piece of JS code.

JavaScript code for the login page

From the script, there is function w, which checks if the username is ‘neadmin’ and returns True or False. So username must be ‘neadmin’. This is the reason why we got the alert message in the random attempt and it didn’t went further to check the password.

Trying this new username, notice the alert message changes. We got the right username now we need a valid password.

Using the found username

Let’s find a valid password. Checking the code again, there is a function named q which check if the password length is less than 10 or greater than 20 and then returns not True (False). If the password meets the first condition, it then checks if the sum of the ordinal value of the characters (numerical representation of characters) of the password when divided by 421 is equal to a 0 (modulo should be equal to 0).

I had to script in Python to find a legit password, then used the found username in the previous steps to test if the form can accept my credentials. Below is the Python script I created.

I tried my email address (JAYOMBAGI) using the script and I was lucky with some slight additions. Password generated is JAYOMBAGI_W

password generation
Small wins!

That’s it for part one…. I’ll share part two where we go through the remaining challenges.

ciao!

John Troon

Written by

Powered by Coffee, Wine and Burritos. The Bytes Bender.