Please ask questions ONLY in this topic.

Please ask questions ONLY in this topic.

Post by Nyteblade on Mon Apr 14, 2008 1:15 pm
([msg=85]see Please ask questions ONLY in this topic.[/msg])

Hello,

I wonder if anyone can point me in the right direction since I'm kinda stuck. So far, I've been able to determine that there's at least 6 different usernames, using the 'User Info' search, for different variations on Gary Hunter. 3 require a password, 2 do not require a password and 1 (admin) has a password of 'admin' and it's at this point I'm sorta stuck.

I noticed the 'cleardir.php' uses a 'dir' in the form of '<username>SQLFiles' which leads me to believe a SQL server is involved. I also noticed that when you login to the latter 3 accounts, it displays a 'Password: <some-hash>' on the page which I'm currently trying in a MD2 hash crack.

Can anyone steer me in the right direction? I know I'm missing something. :D

EDITED BY FAITH

Please ask questions only in this topic.
Just to keep the forum neat, and hopefully your post more noticed.
Please help us to keep the forum clean by report trashy posts. :>
You may start a new post if you're making a tutorial. However, if the tutorials are similar, please do not make two.

I wish you best luck with this mission, and hope you enjoy it.

<3 faith.
Nyteblade
New User
New User
 
Posts: 39
Joined: Mon Apr 14, 2008 10:56 am
Blog: View Blog (0)


Re: Stuck

Post by BhaaL on Mon Apr 14, 2008 1:25 pm
([msg=86]see Re: Stuck[/msg])

You dont actually have to crack it. Check your cookies.
BhaaL
Poster
Poster
 
Posts: 270
Joined: Sun Apr 13, 2008 11:16 am
Blog: View Blog (0)


Re: Stuck

Post by Nyteblade on Mon Apr 14, 2008 2:04 pm
([msg=93]see Re: Stuck[/msg])

BhaaL wrote:You dont actually have to crack it. Check your cookies.


OK... I must still be missing something. Checking my cookies doesn't show me anything I don't already know. Is there something I'm still not seeing?
Nyteblade
New User
New User
 
Posts: 39
Joined: Mon Apr 14, 2008 10:56 am
Blog: View Blog (0)


Re: Stuck

Post by BhaaL on Mon Apr 14, 2008 2:13 pm
([msg=94]see Re: Stuck[/msg])

I suppose you are logged in, aren't you?
Hint: It doesn't seem to check the password later on...
BhaaL
Poster
Poster
 
Posts: 270
Joined: Sun Apr 13, 2008 11:16 am
Blog: View Blog (0)


Re: Stuck

Post by Nyteblade on Mon Apr 14, 2008 2:36 pm
([msg=96]see Re: Stuck[/msg])

BhaaL wrote:I suppose you are logged in, aren't you?
Hint: It doesn't seem to check the password later on...


I'm logged in as the 'admin' user.
Nyteblade
New User
New User
 
Posts: 39
Joined: Mon Apr 14, 2008 10:56 am
Blog: View Blog (0)


Re: Stuck

Post by weekend hacker on Mon Apr 14, 2008 4:07 pm
([msg=112]see Re: Stuck[/msg])

the 'admin' user is just another random user added by someone trying to complete the mission.
you need to find the correct name and somehow trick the script into thinking he's the one sending money and get rid of any tracks.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
User avatar
weekend hacker
Administrator
Administrator
 
Posts: 191
Joined: Sun Apr 13, 2008 2:39 pm
Location: 127.0.0.1
Blog: View Blog (0)


Re: Stuck

Post by nuclearhaxor on Mon Apr 14, 2008 4:10 pm
([msg=114]see Re: Stuck[/msg])

Edit: No Spoilers
nuclearhaxor
New User
New User
 
Posts: 7
Joined: Mon Apr 14, 2008 4:07 pm
Blog: View Blog (0)


Re: Stuck

Post by TheMindRapist on Mon Apr 14, 2008 5:21 pm
([msg=130]see Re: Stuck[/msg])

Did you manage to list all the usernames yet, or did you just use the search function to find names involving Gary? You have to list all the usernames, how could you trick the search function into doing this?
Image
User avatar
TheMindRapist
Contributor
Contributor
 
Posts: 585
Joined: Mon Apr 14, 2008 4:57 pm
Blog: View Blog (0)


Re: Stuck

Post by Nyteblade on Tue Apr 15, 2008 1:01 pm
([msg=223]see Re: Stuck[/msg])

TheMindRapist wrote:Did you manage to list all the usernames yet, or did you just use the search function to find names involving Gary? You have to list all the usernames, how could you trick the search function into doing this?


I haven't managed to get a list of all the users yet. I'm still working on that part. Having to jump back and forth between this an RL stuff slows me down.
EDIT: I've managed to get the list of everyone now. I had a syntax error in my injection :oops:
Nyteblade
New User
New User
 
Posts: 39
Joined: Mon Apr 14, 2008 10:56 am
Blog: View Blog (0)


Re: Stuck

Post by Casval on Tue Apr 15, 2008 2:30 pm
([msg=243]see Re: Stuck[/msg])

Ah, I know how you feel.
When you check the usernames and there's 9384572034589723049587 different variations of the guy's account because some people want to be "clever".
You seem to be on the right track though, the real username is very easy to find.
Casval
New User
New User
 
Posts: 24
Joined: Mon Apr 14, 2008 7:05 am
Blog: View Blog (0)


Next

Return to (Real 8) United Banks Of America

Who is online

Users browsing this forum: No registered users and 0 guests