Please ask questions ONLY in this topic.

[limdis]

oh yeah

[not_essence2]

Every security-related/conscious site does.

[lota7]

OH MY GOD.
I had this figured out hours ago but got screwed by " / ". I used a " \ " instead.
But DT information sites told me windows uses \ ?
Or is that based on the server running? Probably is, but how can I know what server the target is using?

[Shade_of_Gray]

OH MY GOD.
I had this figured out hours ago but got screwed by " / ". I used a " \ " instead.
But DT information sites told me windows uses \ ?
Or is that based on the server running? Probably is, but how can I know what server the target is using?

Generally speaking? Try both.

[conscience]

OH MY GOD.
I had this figured out hours ago but got screwed by " / ". I used a " \ " instead.
But DT information sites told me windows uses \ ?
Or is that based on the server running? Probably is, but how can I know what server the target is using?

Generally speaking? Try both.

Yes, it of course depends on the OS the server is running.

For the "generally speaking" part, Windows accepts forward slash, so it is generally a better idea to try that first.
Also, you can fingerprint the underlying OS by, for example, checking whether the filenames are case-sensitive or not.
Some other characteristics of certain software products can be fingerprinted as well, but I won't go into this as it is not related to the mission.

[gpegasus77]

Ok i cheated and solved it.
Can somebody please tell me WHY it worked?
Understood the teory od DT read tons the posts here then looked for a solution...
would appreciate some explanation on the submission code explanation...

[fashizzlepop]

Why'd you cheat? Why not try solving it on your own now and figure out why.

[gpegasus77]

After 4 days of getting crazy and no poin to get it?
I understood what i did but i was walking blind on it.
I assume i was storing a file but: how to be certain of it?
when i did ../index.html what was the code actually executed?
Trying and trying i get to the answer to this and next realistic solution but i don't alwais get WHY it works on this way.

[Raziels]

Danm bonus points, all lies… lol

Thanks guys, good tips:

Just want to clarify:

Despite bearing similarities between the two missions. (Basic 9 and Realist 4) they have NOTHING to do with each other besides directory traversal(it's called traversal, not transversal... It's not even a word...).

It's good if you can actually learn something...
Basic 9 takes advantage of server side includes vulnerabilities. Allowing server commands to be excused.
Realistic 4, however, takes advantage of a php file() function. The poetries were saved as... well... plain files with no extensions (such as .php, .txt) it's just loaded with include() or require() from the .php display script.

Here is a diagram I've made to help you understand this.
http://img294.imageshack.us/img294/2749/real4uy9.jpg

As a bonus, which is irrelevant to the mission, check out these.
http://www.hackthissite.org/missions/re ... he%20Idiot
http://www.hackthissite.org/missions/re ... ding%20War

Every time you get a "page not found" e.g. http://www.hackthissite.org/missions/realistic/3/poems/
it means the page is forbidden, but the file/directory actually exists!
Every time you get a witty comment and a page not found, it means it doesn't exists at all.

I know this because I've redirected all 403 forbidden to the "page not found" page, because I was tired of getting a anti-DDOS 403 Forbidden page XD

Consider this...

The name of the poem ends up being the name of the file.

Knowing the directory you are in, and index.html is in, is imperative.


Apologies if ive given too much away, please remove if neccessary

IF SPOILER MESSAGE.EDIT() && AUTHOR.APOLOGIZE() END IF
-rjstark
thread:stumped

<SPOILER-ISH>
I once saved a folder(directory) for aircraft in a flight simulator "MyDesigns/Custom" and i was unable to access the contents of that folder(directory) using *nix commands because of the filename
</SPOILER-ISH>

when the file is saved it is saved to the server immediately and the file name is not filtered

http://en.wikipedia.org/wiki/Directory_traversal_attack

One more tip, I was thinking about what would happen to the hacked page, then I realized it’s a climbing attack

[corbonium]

I completed this mission, but maybe by luck, if you count educated guesses as luck. So I have a question:

How do you know that directory traversal is the key? I could not find any evidence that anything is stored in different directories at all.