Please ask questions in this topic ONLY

Re: Please ask questions in this topic ONLY

Post by ab_221990 on Fri Sep 06, 2013 11:09 pm
([msg=77283]see Re: Please ask questions in this topic ONLY[/msg])

limdis wrote:
ab_221990 wrote:Hey guys,

Any mod or dev I can PM right now ? Got a few questions about this mission and the previous one...

Sure. You'll need to post one more time in the forums to use the message system here.


Alright.
ab_221990
New User
New User
 
Posts: 2
Joined: Thu Sep 05, 2013 11:06 am
Blog: View Blog (0)


Re: Please ask questions in this topic ONLY

Post by R0ot_ on Fri Dec 05, 2014 1:20 pm
([msg=85658]see Re: Please ask questions in this topic ONLY[/msg])

Someone must have taken the pass out of the guestbook, because I spent a long time searching it with no luck. Then I had an idea maybe someone just posted the pass to be a *dick in there. This mission can't be that easy, and why would a kids guestbook have administration pass.

So then I started from scratch again, what's with this website. AH! A huge exploit is sitting right in-front of me! I don't use windows ( billy boy isn't stepping a foot in my home ) so I'm not very good with windows commands. Had to really think about the clues given by the mission. Although the exploit is there, doesn't mean you will see it right away. To be honest sometimes the easiest of exploits sitting right in front of you are very well hidden by your imagination.

For some it will be easy, but then with others like myself you will beat your head on a desk.

You will need to understand how a url works in this instance and how to make it work for what you want. Look at the pages source in firebug and see how the guestbook is being served.

I don't want to give to much away, you will learn something new from this and always new things are great to have under your belt.

GoodLuck!
R0ot_
New User
New User
 
Posts: 21
Joined: Mon Dec 01, 2014 1:38 pm
Blog: View Blog (0)


Re: Please ask questions in this topic ONLY

Post by icespeech on Sun Sep 20, 2015 4:54 am
([msg=89836]see Re: Please ask questions in this topic ONLY[/msg])

Hi everybody :).

I don't know what I was doing wrong but somehow I cannot get things done like others did.
I put the ****:///*:/ paths or just *:/ or ****://*:/ whatever all the combination like many people have mentioned,
and it just keeps saying "File not found." to me.
(My browser is Firefox 40, I don't know if it's the reason for such behavior like it encodes the path or something.)

So I cannot get any information from that directory traversal trick.
Then I just go to the *********.txt and read the messages there,
I've found a filename that looks like the "admin panel" which everyone talked about.
And just by using this filename, I passed this mission.

I don't know if there was something I did wrong actually or this traversal trick just cannot be used in this level again.
Can someone who had finished this level checks this by doing that again ?
If you can do that please PM me because I really want to know where is the wrong point I've done.

Thank you. :)

(Sorry if my post is wrong somewhere in English, I'm not native English user :S)
icespeech
New User
New User
 
Posts: 1
Joined: Wed Sep 16, 2015 2:36 am
Blog: View Blog (0)


Re: Please ask questions in this topic ONLY

Post by Ethermist on Sun Jan 10, 2016 2:06 pm
([msg=91243]see Re: Please ask questions in this topic ONLY[/msg])

It looks like the initial '.pl' does not allow any directory paths to be done within the Address bar provided for the page.
Also, using the URL manually doesn't allow it either.

However using a different '.pl' with the server directory path formatting worked...

And keep in mind that there are two different formats (depending on how the search is submitted)...
*://*:\
*:///*:/

Hopefully, that's not too spoiler-ish but helps those who know what needs to be done and hit a wall with the navigation.

For me, I just had to step back and try every combination I could think of, in every location I could think of, and with every .pl I knew about...which was tedious but got me to the place I needed to be. And once I found it, I also discovered there were two slightly different ways to get there. =)

./cheers
Ethermist
New User
New User
 
Posts: 7
Joined: Wed Dec 30, 2015 11:08 pm
Blog: View Blog (0)


Re: Please ask questions in this topic ONLY

Post by xorcist_re on Wed Mar 23, 2016 5:24 am
([msg=91987]see Re: Please ask questions in this topic ONLY[/msg])

URI and URL manipulation is really the key for this challenge. Reading the source for the pages is the only other thing needed, just be sure to open the source for the frame or open the frame in a new tab first.

Understanding CGI, what it is used for and how it works, is helpful for finding the user/pass without spoilers.

This site helped out, http://www.parkansky.com/tutorials/bdlogcgi.htm#starting
xorcist_re
New User
New User
 
Posts: 2
Joined: Sat Mar 19, 2016 2:55 am
Blog: View Blog (0)


Re: Please ask questions in this topic ONLY

Post by OS_13115 on Wed Apr 20, 2016 9:19 pm
([msg=92175]see Re: Please ask questions in this topic ONLY[/msg])

Im in the zone exploring topics based off clues, learning cgi for linux and windows, APIs are interesting. Headed in direction of admin, need one more link, i've read up but may be missing some key data...info gather is important right? share a link with me you've read. Thank you! :oops:

-- Wed Apr 20, 2016 9:29 pm --

Look at the pages source in firebug and see


yeah,.. this tool has an easy to read guide also. love it.
OS_13115
New User
New User
 
Posts: 12
Joined: Sat Jul 05, 2014 1:07 pm
Blog: View Blog (0)


Re: Please ask questions in this topic ONLY

Post by Mod_Smilzo on Tue Oct 11, 2016 11:50 pm
([msg=93010]see Re: Please ask questions in this topic ONLY[/msg])

Is that right ? Or is a mistake from the page.
https://i.imgur.com/mtD0ice.png
I can see into the code , a warning " the page cant load iframes"
Mod_Smilzo
New User
New User
 
Posts: 1
Joined: Tue Oct 11, 2016 5:29 pm
Blog: View Blog (0)


Previous

Return to (Real 12) Heartland School District

Who is online

Users browsing this forum: No registered users and 0 guests