Please ask questions ONLY in this topic.

Re: BudgetSERV

Post by Damascus2k8 on Thu May 29, 2008 6:18 pm
([msg=3590]see Re: BudgetSERV[/msg])

jmillican wrote:Erm, I'm stuck at the start. I've found an admin login page but that's about it.
I know the directory that pages are stored in from typing in a dud page, but I have absolutely no idea how to do Perl Piping or whatever it's called :? . I've tried googling it but I think the topics that I get may not actually be relevant to pipes in this sense.
Help please :?


Ok for the perl piping part, a pipe is simply just a '|' character. And i would strongly suggest looking up a good perl/cgi tutorial (remember google is your friend) and learning the language, as there will be other times when you will be required to write a perl program.

As for the mission itself, remember this is a web hosting site, so maybe one of their sites is vulnerable?

Also, (sorry if this seems painful to read) but you are going to have to learn MySQL, or maybe just SQL Injection itself but you still need to know the commands to do it right?

From there, your gained knowledge and your 'hacker-instinct' should guide you to the finish line.

Hope that helps, and good luck!


C0362AF19B89E861F21485CE1D2B430E



"Change your thoughts and you change your world!"
Damascus2k8
Experienced User
Experienced User
 
Posts: 68
Joined: Mon Apr 14, 2008 8:18 pm
Location: /root
Blog: View Blog (0)


Re: BudgetSERV

Post by jmillican on Sat May 31, 2008 10:26 am
([msg=3814]see Re: BudgetSERV[/msg])

Ok I've got lots of questions but I'll try and work most out myself.
Just a hint... how do I find the hosted sites?
jmillican
New User
New User
 
Posts: 18
Joined: Sat May 03, 2008 7:43 am
Blog: View Blog (0)


Re: BudgetSERV

Post by djpitagora on Sun Jun 01, 2008 2:51 am
([msg=3863]see Re: BudgetSERV[/msg])

jmillican wrote:Ok I've got lots of questions but I'll try and work most out myself.
Just a hint... how do I find the hosted sites?

in the case of this mission you'd have to know the folder the sites are hosted in. Now that is normally secret so a vulnerable perl script might help you...
djpitagora
New User
New User
 
Posts: 24
Joined: Sun May 25, 2008 5:49 am
Blog: View Blog (0)


Re: BudgetSERV

Post by jmillican on Sun Jun 01, 2008 5:16 am
([msg=3869]see Re: BudgetSERV[/msg])

Having tried appending various combinations of UNIX and perl commands etc to the urls of both perl scripts, I'm basically completely and utterly confused about what to do. I've only found the two scripts (and the webmail login.php) and can see where they may be vulnerable, but can't really exploit it.
Can someone PM me please with a bit more help :?
jmillican
New User
New User
 
Posts: 18
Joined: Sat May 03, 2008 7:43 am
Blog: View Blog (0)


Re: BudgetSERV

Post by djpitagora on Sun Jun 01, 2008 10:09 am
([msg=3890]see Re: BudgetSERV[/msg])

jmillican wrote:Having tried appending various combinations of UNIX and perl commands etc to the urls of both perl scripts, I'm basically completely and utterly confused about what to do. I've only found the two scripts (and the webmail login.php) and can see where they may be vulnerable, but can't really exploit it.
Can someone PM me please with a bit more help :?

research a bit on how to pipe some commands to a perl script. You can find some interesting materials online: http://www.owasp.org/index.php/Testing_ ... _Injection
djpitagora
New User
New User
 
Posts: 24
Joined: Sun May 25, 2008 5:49 am
Blog: View Blog (0)


Level Up Not Working?

Post by SuperScience on Mon Jun 09, 2008 1:30 pm
([msg=4366]see Level Up Not Working?[/msg])

I've got to the end of the mission and I was redirected to a levelup script. However, instead of showing the mission as completed in my profile the level up php file just says "Begone vile fiend." I have see others report the same error message upon completing this mission; is there a bug in the script or is there more of the mission to complete?
SuperScience
New User
New User
 
Posts: 4
Joined: Fri May 30, 2008 11:36 am
Blog: View Blog (0)


Re: Level Up Not Working?

Post by SuperScience on Mon Jun 09, 2008 2:27 pm
([msg=4370]see Re: Level Up Not Working?[/msg])

Nevermind, I solved this by changing my browser's user-agent back to its default. I had changed it and forgot to change it back. My User-Agent had SSI code in it...that explains the nature of the error message!
SuperScience
New User
New User
 
Posts: 4
Joined: Fri May 30, 2008 11:36 am
Blog: View Blog (0)


Re: BudgetSERV

Post by bxrbaseball on Mon Jun 16, 2008 11:19 pm
([msg=5019]see Re: BudgetSERV[/msg])

I am having a little trouble with the perl injection part. To be honest I can't tell if the command is working or not nor do I have a clue what command I should use. I even tried a simple print command to see if that would output to the page but i either get a page cannot m{[\0.<>\/&\s]} error which I googled and can't find a match or it brings up the features page. I am not able to make any sense of this madness. Thanks in advance to who ever can help me if you think I need help.
bxrbaseball
New User
New User
 
Posts: 2
Joined: Thu Jun 05, 2008 5:55 pm
Blog: View Blog (0)


Re: BudgetSERV

Post by fabulous on Tue Jun 17, 2008 6:50 pm
([msg=5077]see Re: BudgetSERV[/msg])

i haven't been able to pass this mission and i don't know why. i'm stuck at the user agent part. from the article i read i'm suppose to change it if i understood correctly but for some reason i still can't access the mod directory
fabulous
New User
New User
 
Posts: 2
Joined: Tue Jun 17, 2008 5:27 pm
Blog: View Blog (0)


Re: BudgetSERV

Post by pitagora on Wed Jun 18, 2008 6:55 am
([msg=5127]see Re: BudgetSERV[/msg])

fabulous wrote:i haven't been able to pass this mission and i don't know why. i'm stuck at the user agent part. from the article i read i'm suppose to change it if i understood correctly but for some reason i still can't access the mod directory


you are supposed to change it and steal a valid session id through XSS. And no...it's not going to be a mod account :) Meaning that after to manage to login you will still have exploit a bug to elevate your powers to mod.
pitagora
New User
New User
 
Posts: 8
Joined: Tue Jun 17, 2008 10:41 am
Blog: View Blog (0)


PreviousNext

Return to (Real 11) BudgetServ Web Hosting

Who is online

Users browsing this forum: No registered users and 0 guests