Please ask questions ONLY in this topic.

A little girl made a website to post poetry related to peace and understanding. American fascists have hacked this website replacing it with Hitler-esque propaganda. Can you repair the website?

Re: Please ask questions ONLY in this topic.

Post by -Ninjex- on Mon Jan 28, 2013 2:42 pm
([msg=72780]see Re: Please ask questions ONLY in this topic.[/msg])

corbonium wrote:I completed this mission, but maybe by luck, if you count educated guesses as luck. So I have a question:

How do you know that directory traversal is the key? I could not find any evidence that anything is stored in different directories at all.


You don't really know that it is key! Just like you wouldn't know if a web-site filters SQLi, or XSS... You test it out, and if it works, you know it is vulnerable to such attacks, and if it fails, you know it is not vulnerable to those attacks. The first page was overwritten by another index file tells you that the user was able to upload his index page, and replace the actual index file, on the site. With that information, you know that there should be a way to upload a new index file onto the site. The obvious attack choice is directory traversal attack when you see there is a upload form.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
^(-.^)>
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1468
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by corbonium on Mon Jan 28, 2013 3:07 pm
([msg=72786]see Re: Please ask questions ONLY in this topic.[/msg])

The first page was overwritten by another index file tells you that the user was able to upload his index page, and replace the actual index file, on the site. With that information, you know that there should be a way to upload a new index file onto the site. The obvious attack choice is directory traversal attack when you see there is a upload form.


the upload form was indeed the dead giveaway for me, but it did not cross my mind that I should be trying to duplicate the loophole the original hacker exploited. Thinking about it, it now becomes clear as to the reason why both index pages are all in 1 line. It is not to make your life a pain in the ass, and it is not because the original author and the hacker like to write things all on 1 line. it is to do you a favor by giving you a realistic hint to the solution the hacker used. And I give back this knowledge as a hint to those who come after me.

I'm reading that people are stumped or it took them 5 days to complete this mission.. i managed it in about 1 hour... does that mean I'm getting better at this?
corbonium
New User
New User
 
Posts: 15
Joined: Wed Jan 02, 2013 8:11 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by digitalsuicide on Mon Feb 04, 2013 9:23 am
([msg=73391]see Re: Please ask questions ONLY in this topic.[/msg])

This is glaringly simple, took a while to figure it out, I actually tried the solution the first time but missed out the traversal thinking everything was rooted... doi!

Question is, I never managed to actually list the directory content, is this possible? :?:
digitalsuicide
New User
New User
 
Posts: 1
Joined: Mon Feb 04, 2013 9:19 am
Blog: View Blog (0)


directories

Post by RedPotion on Fri Feb 15, 2013 8:16 pm
([msg=73824]see directories[/msg])

Are the poems stored in http://www.hackthissite.org/missions/realistic/3/ or are they stored in http://www.hackthissite.org/missions/realistic/3/[SUBDIRECTORY]

I'm trying to understand why something worked and something else I tired originally didn't.

Thanks
RedPotion
New User
New User
 
Posts: 1
Joined: Fri Feb 15, 2013 7:56 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by Snipeon on Wed Feb 20, 2013 7:00 pm
([msg=73920]see Re: Please ask questions ONLY in this topic.[/msg])

damn, took me long enough for this. i was on the right track with the i****.***l, but i kept ignoring the source hints. finally got it, source people, source...
Nobody is ever a master; we are all just noobs who must keep on learning.
User avatar
Snipeon
New User
New User
 
Posts: 27
Joined: Sat Feb 02, 2013 4:32 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by impulse_x on Fri May 10, 2013 9:13 pm
([msg=75543]see Re: Please ask questions ONLY in this topic.[/msg])

I don't need to e-mail the poetry guy right? That's just something to make the story interesting?

If so, and I get the "Go On" page, that means I've solved it?
impulse_x
New User
New User
 
Posts: 19
Joined: Fri May 10, 2013 4:57 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by limdis on Fri May 10, 2013 9:54 pm
([msg=75544]see Re: Please ask questions ONLY in this topic.[/msg])

impulse_x wrote:I don't need to e-mail the poetry guy right? That's just something to make the story interesting?
If so, and I get the "Go On" page, that means I've solved it?

For our own security we only simulate these exploits. You aren't actually 'performing' anything. If you get prompted by the "Go On" icon then yes you have just executed the necessary action that in the specific scenario would complete the end goal.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1434
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by N3nvy on Tue May 28, 2013 10:31 am
([msg=75831]see Re: Please ask questions ONLY in this topic.[/msg])

I was all confused with the commands but they are not necessary, use the simple information and try and see what works and where you may be able to submit information.
Don't skip over information, everything is there for a reason and is usually important to the mission.
N3nvy
New User
New User
 
Posts: 8
Joined: Mon May 27, 2013 9:15 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by amp1776 on Sun Jun 30, 2013 4:21 pm
([msg=76291]see Re: Please ask questions ONLY in this topic.[/msg])

Very important that the basic missions have been worked through first..
"Pursue one great decisive aim with force and determination." Karl Von Clausewitz
User avatar
amp1776
New User
New User
 
Posts: 9
Joined: Sat Jan 14, 2012 10:28 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by Miryafa on Fri Aug 09, 2013 6:44 pm
([msg=76797]see Re: Please ask questions ONLY in this topic.[/msg])

I happy that I finished this mission too, with help.

If anyone's stuck at the same place I was, my hints to you are:
1. don't mess with the url bar; post is not vulnerable the same way as get
2. after checking wikipedia's page try typing exactly what it has
3. only one of the boxes is vulnerable

Naturally, mods please edit if needed.
Miryafa
New User
New User
 
Posts: 8
Joined: Thu Sep 20, 2012 3:08 pm
Blog: View Blog (0)


PreviousNext

Return to (Real 3) Peace Poetry: HACKED

Who is online

Users browsing this forum: No registered users and 0 guests