When I was wandering on HVA, I found a thread introducing a guessing game which I discussed on this blog Rx and permutation. If you want to play, you can try it here http://jotto.ciphertechs.com/ . From my side, after 14 times trying to brute force the characters of password, I found out they are “a”, “j”, “m”, “o”, “r” as image below
After calculating all permutations, I found the meaningful permutation is “major” and was greeted with message “Congratulations – you guessed major in 15 attempts” . I look accidentally on the URL of this page http://jotto.ciphertechs.com/cgi-bin/jotto2.pl and saw that the game was written in Perl and a bad thought passed through my head to hack this game to get a better result.
At the first page , you enter your name to variable “player”, will be redirected to new page and I do not see any vulnerability to exploit.
<form NAME="g" ACTION="cgi-bin/jotto1.pl" METHOD="post"> <input type="text" name="player" > <input TYPE="SUBMIT" VALUE="PLAY"> </form>
1. One guess to win
At new page http://jotto.ciphertechs.com/cgi-bin/jotto1.pl , I see some hints in its source code with my name and a strange variable which can be the answer of the game.
<form NAME="F" ACTION="jotto2.pl" METHOD="post"> <input type="text" size=5 maxlength=5 name="userguess" > <input type="hidden" name="player" value="rongchaua"> <input type="hidden" name="guess" value="oebja"> <input type="hidden" name="oldguess"> <input TYPE="SUBMIT" VALUE="GUESS"> <input TYPE="RESET" VALUE="Clear"> </form>
This strange value has length of 5 letters exactly same as the answer. The letters are unique too. It reminds me to a famous emperor Caesar and an algorithm named by his name “Caesar cipher” http://en.wikipedia.org/wiki/Caesar_cipher . In this algorithm man just write down the alphabetical table, shift it to left by number of positions and replace the plain text with the new cipher one. For example, I rotate the alphabets about 3 places
or about 13 places
So try to decode the cipher text with some tries with popular types as: ROT5 (Number), ROT13 (Character), ROT18 (Number and Character), ROT47 (All ASCII Character). You can find out that the cipher text “oebja” can be decoded with ROT13 to “brown”. Entered this guess then I got immediately the congratulation message and was redirected to winning page.
2. Zero guess to win
Now let’s examine this new page http://jotto.ciphertechs.com/cgi-bin/jotto2.pl to see if we can exploit something
<form NAME=F ACTION=jotto3.pl METHOD=post> <input type=hidden name=player value=rongchaua> <input type=hidden name=cnt value=1> <input type=hidden name=guess value=oebja> <input TYPE=SUBMIT VALUE=CONTINUE></form>
You can see that the variable “cnt” contains our tries. We can manipulate this value to what we want and click “Continue” to submit our result to database. For example, I edited my tries like this
rongchaua has guessed clear in 14 guess(es) on 2011-03-22 06:14:37
rongchaua has guessed abuse in 0 guess(es) on 2011-03-25 17:24:19
rongchaua has guessed yield in 0 guess(es) on 2011-03-25 17:27:51
rongchaua has guessed major in 1 guess(es) on 2011-03-25 17:30:46
rongchaua has guessed about in -1 guess(es) on 2011-03-25 17:36:45
To edit this value, I used Firefox and Firebug add-on to browse to the value and edit it
With the same method, you can edit the guess variable on guess page http://jotto.ciphertechs.com/cgi-bin/jotto1.pl to a constant value, for example “oebja” and that means the answer is always “brown”. Let’s your imagination flying with your techniques to exploit this game.
After this step I read this sentence at the end of website
“Jotto is part of the Vicnum project which was developed for educational purposes to demonstrate common web vulnerabilities.”
then I have no inspiration more to hack it because it is designed to be hacked. You can try yourself to find more vulnerability on this site. Please tell me if you find one with explanation. Enjoy yourself.