Try2Hack – Level 4

Level 4

Open it in Chrome, see nothing. So I try to view source code:

 <!--[if !IE]>-->
  <!--[if !IE]>-->

Well, it’s some sort of Java Applet, then I switch to IE to open it. Yes, it’s running, require a login id and a password to reach next level.
Download this file: PasswdLevel4.class

And then use a Java Decomplier to view source code, I use JD-GUI for this task. Here the part of code that need attention:

   this.infile = new String("level4");
      this.inURL = new URL(getCodeBase(), this.infile);
    catch (MalformedURLException localMalformedURLException)
      getAppletContext().showStatus("Bad Counter URL:" + this.inURL);

Well, then it must be reading the login id and password in a file, then compare with the value input into two textboxes for verification.
Download this file: level4

It’s a hex file, so use a Hex Viewer to read. One of my favorite one is: WebHex, an online hex-viewer.

here the result :

 	00	01	02	03	04	05	06	07	08	09	0A	0B	0C	0D	0E	0F	0123456789ABCDEF
000000	00	6C	65	76	65	6C	35	2D	66	64	76	62	64	66	2E	78	.level5-fdvbdf.x
000010	68	74	6D	6C	0D	0A	61	70	70	6C	65	74	6B	69	6E	67	html..appletking
000020	0D	0A	70	69	65	63	65	6F	66	63	61	6B	65	0D	0A	 	..pieceofcake..

So, try to log in with: __user | pass = appletking | pieceofcake__
Yeah, reach to next level..~

Pete Houston

  1. June 6, 2015 at 6:01 pm

    How in the f r u supposed to know how to complete these challenges? And do any of them reflect real-life scenarios? What’s the point of a challenge if you have to look at the answers to complete it? That’s not the way people learn.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: