Please ask questions ONLY in this topic.

[Damascus2k8]

No Problem Mate!

[tezyn]

First Thank you to everyone that has set up, thought up, or kept up this sight. In the little amount of time that I have been looking around, I have found things, or pointers to learning, that I have been looking for, for a long time.

I just was wondering how possible it would be to make some functional additions to this test.

While I understand that you aren't really going to set up a separate web site for us to really hack, I found the functionality here to be directly misleading in this case.

From my experience with solving this situation, I have found 4 main pages.
1. This has been hacked
2. To be restore
3. How this site works
4. Solve here

The problem IMHO, is that while I was investigating the current code, I applied the technique, that in the end solved the test, on the "How this site works" page, only to receive the infamous "Green screen of Failure" page. Because of this, when I was looking at the "Solve on this page" page, it wasn't until I got the point frustration where you try things you "know won't work," did I solve this problem.

Would it be possible to make a change, so that if you followed the same principal on the "How this site works" page, it would redirect you accordingly, or display something other then the "Green screen of Failure?"

Again, I don't want to complain. The time and effort I spent doing my research was well worth the little amount of frustration that this caused.

[capi-chou]

Here is a diagram I've made to help you understand this.
http://img294.imageshack.us/img294/2749/real4uy9.jpg

This makes it really easy. Too, probably.

[Rc0n]

OK, i'm lost

this is what ive got so far,

i can get the old site up,
i now that it has somthing to do with directory traversal and using ../ attack.

but i can not work out for the life of me how to use the directory traversal, i now it has to be done in the addpoem page but i can't find the poem after i've added it beacuse when i change the url so the name is the name of my poem it saids "can't do that wirdo" so i'm completely lost with what to do so is there someone how can push me in the right direction with how to view my poems and on how to use directory traversal propoley, but somthing that has not all ready been said.

thanks in advance

Rc0n

[mattman059]

This is my first post, so im going to try my best to keep it as "spoiler free" as possible.

You are right that you need to use the add poem function to finish. Think about what page you need to get where. Think about where you are in relation to the index.html file. Have you tried reading a poem yet? If not try that. Look back over the DT stuff you've researched. Hopefully this helps.

[Kiros37100]

Here's a pointer: Your post has a false statement.

[hrangel]

If is this a spoiler please forgive me!!.
Good day guys,

ok, I Got the old page and got the read and submit, as i read on the blog there is not need for ISS or SQL injection or even Java injection right?

OK, i been trying to type the *nix commands on the name text box to submit a poem, and get the same message
"Your poem was successfully added. Thank you for your contributions", ok I'm getting a bit crazy here, ok, what I also did downloaded the submit & read php pages and changed the post for get to give it a try but still have no ide, also readed about D..T.. on http://en.wikipedia.org/wiki/Directory_traversal
can you guys take a look at the wiki page and let me know if what I read was correctly pls, also mm if is not java, sql or iss injection i guess i have to submit an *nix command from the submit poem section, but doesn't matter what *nix command i try it gives the same error.
can anyone give a clue and how you got that clue in order to learn please.

[hrangel]

If is this a spoiler please forgive me!!.
Good day guys,

ok, I Got the old page and got the read and submit, as i read on the blog there is not need for ISS or SQL injection or even Java injection right?

OK, i been trying to type the *nix commands on the name text box to submit a poem, and get the same message
"Your poem was successfully added. Thank you for your contributions", ok I'm getting a bit crazy here, ok, what I also did downloaded the submit & read php pages and changed the post for get to give it a try but still have no ide, also readed about D..T.. on http://en.wikipedia.org/wiki/Directory_traversal
can you guys take a look at the wiki page and let me know if what I read was correctly pls, also mm if is not java, sql or iss injection i guess i have to submit an *nix command from the submit poem section, but doesn't matter what *nix command i try it gives the same error.
can anyone give a clue and how you got that clue in order to learn please.

[hrangel]

Never mind I got it, i was carazy the last 2 days, but it was really easy and the Directory Transversal was it!!

Clue relax and take alook at this http://img294.imageshack.us/img294/2749/real4uy9.jpg.

[simbiotic_chipmunks]

Hi im a newbie in this and I just want to ask something from you guys. Is there a way to see the config of the .php file? because when I go to that file by adding the filename on the website, I can't get the source code of it, all that I can get is the source code of the html file.

thanks in advance...