Jotto.. what the hack is that? Well, Jotto is a part of the Vicnum project which was developed for educational purposes to demonstrate common web vulnerabilities, as apart of OWASP project. Actually Jotto is game, the game play is The computer will think of a five letter word with unique letters. After you attempt to guess the word, the computer will tell you whether you guessed the word successfully, or how many of the letters in your word
match the computer’s word. Keep on submitting five letter words until you have guessed the computer’s word. To make it more interesting, OWASP challenge the user to hack the Jotto algorithm and word database.
OK lets go start it. Open you browser and play a little while with Jotto at here . If you get stuck, you might read my entire post, but I suggest you to try it first (as I do) before you read my article.
Since you want to read my post, the I will explain it to you how to solve the Jotto challenge. First prepare the gun, I’m using Burpsuite and online decoder. Now, try to insert your nick name in the text-box and start the game by push the play button. Next try to guest the word that has been “thinking” by Jotto. Before you start to answer the question, fire up the Burpsuite first (I will not explain how to config the Burpsuite in here, you might refer to google on how to use it). Then next, try to submit your answer, in my position I tried to type aaaaa. Burpsuite will catch the POST process
POST /cgi-bin/jotto2.pl HTTP/1.1 Host: jotto.ciphertechs.com User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:22.214.171.124) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://jotto.ciphertechs.com/cgi-bin/jotto1.pl Cookie: oreos=cyb3r.anbu; chipsahoy=0; mallomar=fcragren Content-Type: application/x-www-form-urlencoded Content-Length: 55userguess=aaaaa&player=cyb3r.anbu&guess=svany&oldguess=
from the information above we could know that the page tried to send some data to the server
There are 4 variable which the page tried to send , userguess which is our answer then player variable which is our nickname then guess which we don’t know yet what is that thing is and last is oldguess, same as guess variable, we still have no clue what for is it. OK, next try to submit the answer, luckily (in my position) the Jotto said that the a letter is one of the rite’ char.Well, at least now I already knew that between the five letters, one of them is a.
After trying around with some input, now we could know that oldguess is a variable that used to store the answer from previous action. Now the question is what about the guess variable? what is it exactly? I tried to use the send it into Burpsuite decoder/encoder, but still have no result. Looks like it’s not encode using the method which was listed on Burpsuite. Next I tried to use online decoder in here and try to check the string with all the listed encryptor/decryptor, one by one, then finally it shows a readable string final. It was encode with ROT13 method.
Now it’s time to test the string, first I turn of f the Bursuite, then I tried to set final as my answer and there it goes, Jotto said:
Congratulations bla bla bla
Well, looks like now we already pass the first challenge, try to read the word (every letter). To make sure that guess variable is the real answer for every question, lets try to start the game again. But now without using the Burpsuite. After enter the nickname, next try to read the html source which, inside the form tag we could found the guess variable in there.
input type="hidden" name="guess" value="nohfr"
now, go to online decoder site and try to decode the nohfr with ROT13 decoder it will show the real string, in this case it shows abuse. Next try to enter this string into the textbox and hit the GUESS button. Well done! we answer the rite’ word.
Before you push the CONTINUE button, try to fire up Burpsuite again to catch what data will be send by the page. Here what we got
POST /cgi-bin/jotto3.pl HTTP/1.1 Host: jotto.ciphertechs.com User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:126.96.36.199) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://jotto.ciphertechs.com/cgi-bin/jotto2.pl Cookie: oreos=cyb3r.anbu; chipsahoy=1; mallomar=svryq Content-Type: application/x-www-form-urlencoded Content-Length: 35 player=cyb3r.anbu&cnt=1&guess=nohfr
Well now we have another variable in here, it’s the cnt variable. To find out what is it, try to repeat all the step from beginning then after the Congrats page set up the Burpsuite and try to edit the cnt value into 0, then forward the packet, let see what happen. Surprise, obviously the cnt variable hold the counter value. Now, the system tell us that we had successfully answer the answer in 0 (zero) attempt.
Next thing to do is try to hack the database system. Let’s try some classic way, with trying to inject a SQL command into the Jotto queries system, in here it should be the searching player menu. You might find the page after you send the correct answer page, at this page exactly http://jotto.ciphertechs.com/jotto4.php
Now. lets try to enter sql injection strings into the input textbox. I will using
cyb3r.anbu' OR '1'='1
and here come the result
Search Results You have requested results for Jotto player cyb3r.anbu' OR '1'='1 : find the last name in the jotto file has guessed bjnfc in 2147483647 guess(es) on 2011-03-15 09:19:49 cyb3r.anbu has guessed token in 1 guess(es) on 2011-04-26 07:10:08 brokecyb3r.anbu has guessed spent in 0 guess(es) on 2011-04-26 05:22:29 brokecyb3r.anbu has guessed image in 0 guess(es) on 2011-04-26 05:17:07 guessedcyb3r.anbu has guessed young in 0 guess(es) on 2011-04-26 04:42:25
OK good, this would be a good sign for us. At first, I got a little confuse in here. After reading the result repeatedly, finally I start to understand what is the next things to do. Pay attention to the second line from the result
find the last name in the jotto file has guessed bjnfc in 2147483647 guess(es) on 2011-03-15 09:19:49
using ROT13 decoder, I tried to decode the bjnfc string , which will produce owasp string. Ok now I have the string what next, have alittle problem in here but next I realize that the statement said find the last name in the jotto file, now I need to search that Jotto file. Again I start my Burpsuite, try to runs the spider tool againts the Jotto site. After a while, finaly the sipder shows a good result, it found a file name jotto inside the website
http://jotto.ciphertechs.com/jotto/jotto</blockquote> HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 09:06:27 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.1 with Suhosin-Patch Last-Modified: Thu, 14 Apr 2011 14:18:39 GMT ETag: "2c807c-b4-4a0e19a05cdc0" Accept-Ranges: bytes Content-Length: 180 Connection: close Content-Type: text/plainabout abuse basic black broke brown clean clear field final image index macro magic major opera prize probe prove proxy right slave token virus white worms yield young owasp broke
Nice!! ok from the statement we should look at the last word after the owasp string, the it’s gonna be broke! Next I try to put the string into the player input, try to run the application as before but nothing happen with the player list, with some try and error I tried to put the string with my nickname brokecyb3r.anbu, and again try to load the player list, and there is my nick name in there. Congrats to you, now your nickname already listed on the hall of fame page 😛 *LOL