Please ask questions ONLY in this topic.

sniper15 wrote:i'm not sure if this is a spoiler or not but here we go... the hashed file is called .htpasswd so you use that knowledge and that of directory transversal and a little bit of url exploitation and poof there you go. ---------------------------------------- i hope i didn't give to much information away. i didn't really tell you how to accomplish anything just where to look. hope that helps....

-sniper15

"i didn't really tell you how to accomplish anything just where to look."

Yeah -- that would be a spoiler if it were true. Anyway, you're on the line with that one.. People shoud be able to figure that out, especially if they've done the previous ones on their own.

by **DaveDOS** on Fri May 02, 2008 3:46 pm ([msg=1932]see Re: Clueless.[/msg])

Hmm... I found where the administration page is... and I believe that you edit the URL to allow you to see the hashed password file... But the directory transversal I'm using isn't working. No matter what I do, it says I cannot view that file. Even if I do have access to it.

I'm not exactly sure where the password file is even located...

by **Sydeth** on Sat May 03, 2008 6:09 am ([msg=1963]see Re: Clueless.[/msg])

For all of you clueless peoples, you might need some Apache knowledge, at least about authorization.

http://httpd.apache.org/docs/1.3/howto/auth.html

And no, I didn't complete that mission. I can't find the right file.

EDIT: Nevermind, I have completed it. You have to remember, even though the showimages.php script may fool you, it is one directory higher than the images folder. Read this thread once more and you should already know what I'm talking about.

EDIT #2: Also, when you get the file, you might want to crack it. If you are on a *nix system (Linux, *BSD, OSX) just compile John The Ripper. http://www.openwall.com/john/

Sydeth wrote:EDIT #2: Also, when you get the file, you might want to crack it.

<sarcasm>No, just enter in the hash and it will let you in..</sarcasm>

Of course you have to crack it! There's no "might want" about it!

by **Sydeth** on Sun May 04, 2008 5:04 am ([msg=2054]see Re: Clueless.[/msg])

Oh, hush. I'm trying to be polite.

Sydeth wrote:Also, when you get the file, you might want to crack it. If you are on a *nix system (Linux, *BSD, OSX) just compile John The Ripper. http://www.openwall.com/john/

I can't get the straight nix version to run on OS X. The Pro costs like $60. So, does anyone else know of a decent (or not) cracker for OS X?

c24lightning wrote:
Sydeth wrote:EDIT #2: Also, when you get the file, you might want to crack it.

<sarcasm>No, just enter in the hash and it will let you in..</sarcasm>

Of course you have to crack it! There's no "might want" about it!

Here's your sign...

I can't believe I used that, lol

.ht*******d

by **wolfganga** on Fri May 23, 2008 3:40 am ([msg=3073]see Re: Clueless.[/msg])

sniper15 wrote:i'm not sure if this is a spoiler or not but here we go... the hashed file is called .htpasswd so you use that knowledge and that of directory transversal and a little bit of url exploitation and poof there you go. it will dis play the hash file as a broken image (image with a red X in the top right corner). i hope i didn't give to much information away. i didn't really tell you how to accomplish anything just where to look. hope that helps....

-sniper15

most helpful :twisted:

by **Nocteria** on Fri May 30, 2008 1:56 pm ([msg=3745]see Re: Clueless.[/msg])

THIS is annoying!! I can see half of the hash ! but all the browsers i tried are putting some .... and concea the midle part ::@@ any ideas/hints on what i can do here to reveal the whole thing?