Please ask questions ONLY in this topic.

[rigger_john]

I'm totaly clueless on this one, so far I have managed to find a directory listing which shows the /admin folder, when I click on that I get a pop up asking for a ussername and password.

I've know idea where to go from there.

I have googled Apache as suggested somewhere else on this thread but I have to be honest it didn't throw any light on the subject.

I'm thinking that I need to either use some sort of SQL in the password and username boxes, to get me into /admin where I think the password hash will be.

Am I even close to the right track?

Any pointers to useful links ect would be very nice

Thanks

[gibbon1993]

yeah, its hard to get. my best so far finding the hash was probably the imageshow one but it still says i dont have permission when i went ../.htpasswd

I've had exactly the same problem i do "showimages.php?file=../.htpasswd" and then it sends a page saying "You Can't View That File"

[rigger_john]

I'm totaly clueless on this one, so far I have managed to find a directory listing which shows the /admin folder, when I click on that I get a pop up asking for a ussername and password.

I've know idea where to go from there.

I have googled Apache as suggested somewhere else on this thread but I have to be honest it didn't throw any light on the subject.

I'm thinking that I need to either use some sort of SQL in the password and username boxes, to get me into /admin where I think the password hash will be.

Am I even close to the right track?

Any pointers to useful links ect would be very nice

Thanks

Anybody?

[T3hR34p3r]

Edit: Nevermind, takes JTR about 4 seconds.

[Jt Persian]

I've been working my butt off on this one, and I'm not even sure of what I'm supposed to be doing.
The thing I've been trying is accessing the directory where htaccess or htpasswd is, and it gives me an error message on 'showimages.php': "You Can't View That File". On every directory I try, every password I put in to try to access the admin folder, it's failed. Plus I tried '../../usr/local/apache/bin/htaccess' and 'images/../ etc.' , and those plus many other variants gave me the same error message.
I tried looking for help elsewhere, but that was no good, so I'm going to my last resort and asking you guys.

[rigger_john]

any help?

[Dosuos]

I'm thinking that I need to either use some sort of SQL in the password and username boxes, to get me into /admin where I think the password hash will be.

Thanks

Anybody?

Its HTTP Basic Authentication. Google for how it works and you will come to know that SQL Injection won't be of any help.

[rigger_john]

Its HTTP Basic Authentication. Google for how it works and you will come to know that SQL Injection won't be of any help.

Well as I said eairlier

I have googled Apache as suggested somewhere else on this thread but I have to be honest it didn't throw any light on the subject.

But at least you steered me away from the SQL stuff, although I'd given up on that anyway. I'll keep pluging away at the HTTP stuff, so thanks for that. If anybody has a link that a bit more specific that would be good too.

Cheers people

[Dosuos]

http://www.colostate.edu/~ric/htpass.html

This tutorial tells you the working detail for this type of authentication.

so, after reading this tut you know which file to go after and "showimages.php?file=" will be your friend for sure.

EDIT:

mission accomplished

after getting the hash, JTR cracked it in seconds . so you know which cracker to use

[HertzRST]

I got the hash

John The Ripper is located in C:\john1701\run

Also in "Run" Folder i've created a pwd.txt file and inside this file i got

username:passwordhash


Then what is the command to crack the hash?:(