Hacking – How to hack Jotto Ciphertechs game?

When I was wandering on HVA, I found a thread introducing a guessing game which I discussed on this blog Rx and permutation. If you want to play, you can try it here http://jotto.ciphertechs.com/ . From my side, after 14 times trying to brute force the characters of password, I found out they are “a”, “j”, “m”, “o”, “r” as image below

Brute force Jotto

After calculating all permutations, I found the meaningful permutation is “major” and was greeted with message “Congratulations – you guessed major in 15 attempts” . I look accidentally on the URL of this page http://jotto.ciphertechs.com/cgi-bin/jotto2.pl and saw that the game was written in Perl and a bad thought passed through my head to hack this game to get a better result.

At the first page , you enter your name to variable “player”, will be redirected to new page and I do not see any vulnerability to exploit.

<form NAME="g" ACTION="cgi-bin/jotto1.pl" METHOD="post">
<input type="text" name="player" >

1. One guess to win

At new page http://jotto.ciphertechs.com/cgi-bin/jotto1.pl , I see some hints in its source code with my name and a strange variable which can be the answer of the game.

<form NAME="F" ACTION="jotto2.pl" METHOD="post">
<input type="text" size=5 maxlength=5 name="userguess" >
<input type="hidden" name="player" value="rongchaua">
<input type="hidden" name="guess" value="oebja">
<input type="hidden" name="oldguess">
<input TYPE="RESET"  VALUE="Clear">

This strange value has length of 5 letters exactly same as the answer. The letters are unique too. It reminds me to a famous emperor Caesar and an algorithm named by his name “Caesar cipher” http://en.wikipedia.org/wiki/Caesar_cipher . In this algorithm man just write down the alphabetical table, shift it to left by number of positions and replace the plain text with the new cipher one. For example, I rotate the alphabets about 3 places


or about 13 places

Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Cipher: NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm

So try to decode the cipher text with some tries with popular types as: ROT5 (Number), ROT13 (Character), ROT18 (Number and Character), ROT47 (All ASCII Character). You can find out that the cipher text “oebja” can be decoded with ROT13 to “brown”. Entered this guess then I got immediately the congratulation message and was redirected to winning page.

2. Zero guess to win
Now let’s examine this new page http://jotto.ciphertechs.com/cgi-bin/jotto2.pl to see if we can exploit something

<form NAME=F ACTION=jotto3.pl METHOD=post>
<input type=hidden name=player value=rongchaua>
<input type=hidden name=cnt value=1>
<input type=hidden name=guess value=oebja>

You can see that the variable “cnt” contains our tries. We can manipulate this value to what we want and click “Continue” to submit our result to database. For example, I edited my tries like this

rongchaua has guessed clear in 14 guess(es) on 2011-03-22 06:14:37
rongchaua has guessed abuse in 0 guess(es) on 2011-03-25 17:24:19
rongchaua has guessed yield in 0 guess(es) on 2011-03-25 17:27:51
rongchaua has guessed major in 1 guess(es) on 2011-03-25 17:30:46
rongchaua has guessed about in -1 guess(es) on 2011-03-25 17:36:45

To edit this value, I used Firefox and Firebug add-on to browse to the value and edit it

Firefox and FireBug

With the same method, you can edit the guess variable on guess page http://jotto.ciphertechs.com/cgi-bin/jotto1.pl to a constant value, for example “oebja” and that means the answer is always “brown”. Let’s your imagination flying with your techniques to exploit this game.

After this step I read this sentence at the end of website

Jotto is part of the Vicnum project which was developed for educational purposes to demonstrate common web vulnerabilities.

then I have no inspiration more to hack it because it is designed to be hacked. You can try yourself to find more vulnerability on this site. Please tell me if you find one with explanation. Enjoy yourself.

Leave a comment

Your email address will not be published. Required fields are marked *