Last updated: Friday 25th July, 2003
Level 1
Location:
http://www.try2hack.nl/levels/
Username: N/A
Password: h4x0r
This one is pretty easy. Right-click on the webpage and click 'view source'.
Down of line 23 it says 'if (passwd == "h4x0r")' which is a plain-text
conditional statement to see if the password matches.
Level 2
Location:
http://www.try2hack.nl/levels/level2-xfdgnh.xhtml
Username: try2hack
Password: irtehh4x0r!
This one catches alot of people out because it the first level with a fake
password thrown in. This level uses some basic JavaScript to try and disable
the use of the right-click function (which doesnt work for most browsers) If
you are one of the effected, a simple workaround is to save the webpage to your
desktop (File -> Save As) and then open that file using notepad. Down on line
22 it says 'passwd="ItIsSoEasy"' - dont be fooled, this is a fake password.
And no amount of looking will find the username either. If you look closely at
the username and password box, you will notice it is a Shockwave applet, and
has no use for the need of JavaScript. In short, you will need to get this
Shockwave file and open it to see what the pasword is. Down on line 84 you will
notice the line 'embed src="level2.swf"' which is basically the location of
where itsgoing to get it from, and since theres no address infront of it (ie:
http://www.try2hack.nl) it will assume that the file location is relative to
where the page is (level2-xfdgnh.xhtml) so the location of the Shockwave file
is
http://www.try2hack.nl/levels/level2.swf - put that URL into your
browser, and when it loads, save the file to your desktop (File -> Save As)
and then open it using notepad. This file is somewhat 'compiled' and you will
see alot of junk, but the username and password have been convieniently left
as plain text. Look for the words 'txtUsername' and 'txtPassword' and what
comes after those. Keep in mind, if you get it wrong nothing will happen.
Level 3
Location:
http://www.try2hack.nl/levels/level3-.xhtml
Username: N/A
Password: try2hackrawks
Another one that uses fake passwords to trick you, but also throws in a fake
URL to let you think you can just skip it and go to the next level. Not that
easy as you will find out. This level uses JavaScript, but since it doesnt say
the correct password in the page source, it means that its using an external
file for its authentication, although, the page must point to it. The line that
says 'script src="JavaScript"' points to the file source, and since it doesnt
have the 'http://www' stuff infront of it, it means its relative to where the
page is. Point your browser to
http://www.try2hack.nl/levels/JavaScript
(dont forget its case sensitive) to get the correct password, and the URL for
the next level.
Level 4
Location:
http://www.try2hack.nl/levels/level4-kdnvxs.xhtml
Username: appletking
Password: pieceofcake
TBA
Level 5
Location:
http://www.try2hack.nl/levels/level5-fdvbdf.xhtml
Username: Try2Hack
Password: ILoveDodi
This asks you to download a VB3 program and run it to play. You will require
the VB3 runtime dll
(vbrun300.dll)
for it to work. As with any program you want
to hack, you need to de-compile it. (Viewing the file in notepad will produce
garbage, but a little down you will see a plain-text URL for level 6. Another
fake.) A VB3 de-compiler is available online for free
(vbdis22e)
if you can
find it. Get it, run it, select the level5.exe file, de-compile it. This will
produce quite a few files, but the ones of interest are 'main.txt' and
'level5.bas'. Open 'level5.bas' and have a look. Basically, the line
'Sub cmdLogin_Click ()' is the function that runs when you click the 'Login'
button, and this is the function that checks to see if the username/password
is right. The next line checks to see if what you typed as the username is
right. It figures this out by adding some values together (just another task
to make you work more); it figures out these values from the line 'Global
Const gc0006' in main.txt - basically its adding the 56th character with the
28th character with the 35th character, etc... the formula is something like
this:
56 28 35 3 44 11 13 21
T r y 2 H a c k
45 48 25 32 15 40 25 14 19
I L o v e D o d i
If you've done your homework, you would have found that Dodi is the name of the
guy who created this VB3 de-compiler. Note that the username/password for this
level is CaSe SeNsItIvE!
Level 6
Location:
Username: dabomb
Password: encryptionrawks
This asks you to download a VB6 program and run it to play. For it to work you
need the VB6 runtime dll, and you may also need the files richtx32.ocx and
mswinsck.ocx - put the .ocx files into your system32 dir (c:\windows\system32 for win9x; c:\winnt\system32 for NT/2k) bring up a command prompt and type
'regsvr32 filename' where filename is the name of the .ocx file.
Do it for both files. Dont bother about looking for a VB6 decompiler, there
isnt one available (for free anyway) and its not needed. Instead, you will be
needing a packet sniffer as this program uses the internet for its
authentication. A good packet sniffer is
Ethereal - for this to work properly you will also need
WinPcap - download and install these programs, run Ethereal then run
level6.exe. In the username/password box of level6.exe type anything you want,
you just want to send a request to the server the first time around. Before
you hit the 'login' button, make sure you enable 'capture packets' in your
packet sniffer, this will start the sniffing process. Click on the 'login'
button on level6 and watch the packet sniffer do its job. When level6
comes back and says your password is incorrect, stop the packet sniffer, then
examine the packets that it caught (it might help to stop any other network
activity that is going on to reduce the number of packets, making it easier for
you) Look for a packet that contains the word 'GET' - this is saying that it
is retrieving something (in this case, the username/password) - the text after
that says '/levels/level6.data' so thats the file that contains the info we
need. (Remember, since it doesnt have the 'http://www' stuff infront of it, it
means its relative to the location of the page. Also note that it starts with
a '/' and that means that it starts at the 'root directory' of the website, or
the very first location of the website) Put the URL
http://www.try2hack.nl/levels/level6.data
into your browser and you will
see what the username/password is. But that is only half of the job. The
username/password is encrypted, so you now have to decrypt it. It tells you
the encryption type is 'B*C*N**N' which is an actual word, you just have to
fill in the blanks. If you know your cryptology then you'll know that this is
'BACONIAN'
BACONIAN: Also known as 'Baconian Bilateral Cipher' - developed by Sir
Francis Bacon using a 5-bit binary encoding and utilizing a variation in type
face as the key. There is ample evidence showing that Bacon was indeed the
author of Shakespeare's work and these works are riddled with baconian ciphers.
Think as Baconian as binary, except you use 'a' and 'b' instead of '0' and '1'
also keep in mind that 'i' and 'j' are the same, as is 'u' and 'v' - a table
explains the cipher below:
| aaaaa = a | aaaab = b | aaaba = c |
| aaabb = d | aabaa = e | aabab = f |
| aabba = g | aabbb = h | abaaa = i/j |
| abaab = k | ababa = l | ababb = m |
| abbaa = n | abbab = o | abbba = p |
| abbbb = q | baaaa = r | baaab = s |
| baaba = t | baabb = u/v | babaa = w |
| babab = x | babba = y | babbb = z |
So, using the table above:
| aaabb | aaaaa | aaaab | abbab | ababb |
aaaab |
| d | a | b | o | m | b |
| aabaa | abbaa | aaaba | baaaa | babba |
abbba | baaba | abaaa | abbab | abbaa |
baaaa | aaaaa | babaa | abaab | baaab |
| e | n | c | r | y | p | t |
i | o | n | r | a | w | k |
s |
You dont need to work out the '(PAGE)' section, the program does that for you.
Level 7
Location:
http://www.try2hack.nl/levels/level7-xfkohc.php
Username: N/A
Password: N/A
For this one, you need to pretend that you are using Internet Explorer 7.66
on a Unix system, and that the referral was from
'http://www.microsoft.com/ms.htm' This one is an easy one, you just need to
spoof the HTML headers.
In Windows:
No idea, working on it...
In Linux:
wget http://www.try2hack.nl/levels/level7-xfkohc.php \
--header='User-agent: MSIE 7.66;Unix' \
--header='Referer: http://www.microsoft.com/ms.htm'
Either way, you should end up with a page that tells you the location of
level 8.
Level 8
Location:
http://try2hack.nl/levels/level8-balnrg.xhtml
Username: root
Password: arsanik
This level uses an an old phf exploit that allows you to execute anything you
want. This is stored on a Linux system, so knowing a little about how Linux
works, and what commands to use helps. Entering the URL
http://www.try2hack.nl/cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd
inot your browser will present the password file for that system. Breaking it
down a bit, '?Qalias=3Dx%0a' is the exploit that allows you to execute
code. '/bin/cat' is the command that allows you to print the contents of a file
to the screen, '%20' means a space in HTML, and '/etc/passwd' is the actual
file containing the passwords. Save the results, and use a password cracking
program like John the Ripper to
get the password. It uses standard DES encryption, which is easy to crack. It
takes 2min10secs on my machine. It will produce the username 'root' and the
password 'arsanik'
Level 9
Location: -
Username: -
Password: -
Level 9 hasnt been completed yet, come back later.
