Grump .... stuck ... whine

[andro1d]

There's some issues with the C code.

Firstly, the example given wouldn't compile because strcat and strlen are defined in "cstring", which is not included as a library in the code. Secondly, the program will more than likely crash after every run attempt due to the fact that the 200 byte array is not being initialized to 0, thus causing an unintentional buffer overflow.

This should be the replacement:

Code: Select all

char concatenated[200] = {0};

Also, to trigger a buffer overflow (i.e. to overwrite the value of is_pass_correct) the variables need to be contiguous in memory, there is no way to enforce this.

Anyway, if you're up to the "buffer overflow" section, the only hint I can give you is to look at the code and realize you're attempting to overwrite the value of a variable to trigger a "correct" response. How would you trigger a correct response? What value needs to be returned in order for that to happen? It has been mentioned in this thread that is a single capital letter. This should be informative enough.

[kugans]

Just managed to complete it myself, here's a few "tricks" that might help :

I'm a lazy guy, instead of writing forms and stuff like that I just use the LiveHTTPHeaders firefox plugin and use the "Replay" function, directly editing the GET/POST/cookie/Referer/Agent data. (I used that for all the others missions too, it's really handy)

For the $_SESSION part, I was stuck for a while till I realised we're actually trying to fake the file with the login infos. That's why we use a totally unrelated file, part of the content it has is like the real thing so the script is lured into thinking it's a correct file.

I used http://www.passcracking.com/ for md5 reversal, or you can google "password recovery md5" there's plenty around (and it's usually faster than MDCrack as far as I've seen)

If you get weird errors with pkcrack (like I had) you can always download the source code and compile it, takes only a few extra seconds and that should solve everything (in most cases).
I managed to get the right file length with Winace v2.69, had to put it on Maximum compression setting though.

As for why we use a specific character in the buffer overflow you need to find a specific file (that is actually in a .zip) somewhere on the website (it was mentioned a few times before, it contains C code). I jumped too fast to the last login page, totally missed some paths (and some valuable infos at the same time, including that file) and got stuck there for a while before I realized it.

[cdonkin]

I was wondering if anyone could offer me any advice. I've found the zip file and created another zip with the correct amount of bytes.

I'm using pkcrack with the following command:

*******.exe -C ******.zip -c "m**c (f**s **** di*******t fo****rs)\******.h*m" -P index.zip -p index.htm -d unzip.zip

And I get the error :

File misc (files from different folders)\index.htm not found in ZIP file

As far as I can tell from the tutorial, what other people have said and web videos I am using the exact same command needed.

[Defience]

I was wondering if anyone could offer me any advice. I've found the zip file and created another zip with the correct amount of bytes.

I'm using pkcrack with the following command:

*******.exe -C ******.zip -c "m**c (f**s **** di*******t fo****rs)\******.h*m" -P index.zip -p index.htm -d unzip.zip

And I get the error :

File misc (files from different folders)\index.htm not found in ZIP file

As far as I can tell from the tutorial, what other people have said and web videos I am using the exact same command needed.

The original file and the compressed file both should be dropped back into the "found zip" they came from, not separate zips. Also make sure that the zip file is in your pkcrack directory, otherwise you have to specify the whole path. Then run pkcrack on it:

C:\pkfolder>pkcrack -C FOUND.zip -c ORIGINAL.htm -P FOUND.zip -p COMPRESSED.htm -d unzip.zip

Notice that the 'found zip' is used 2x in there? It looks like you're using 2 different zip files (I'm assuming by the number of '*'s).
Review the help file in pkcrack to see what each flag is for.

[cyberdrain]

I was wondering if anyone could offer me any advice. I've found the zip file and created another zip with the correct amount of bytes.

I'm using pkcrack with the following command:

*******.exe -C ******.zip -c "m**c (f**s **** di*******t fo****rs)\******.h*m" -P index.zip -p index.htm -d unzip.zip

And I get the error :

File misc (files from different folders)\index.htm not found in ZIP file

As far as I can tell from the tutorial, what other people have said and web videos I am using the exact same command needed.

In addition to what Defience said, you should use one of the shareware programs (e.g. Winzip or Winrar) to create the new archive, 7-zip for example didn't cut it for me on default (or used to, can't say anything about now). Seems like some programs use very different default settings or algorithms than the one used for the already zipped found file.

[rudxai]

UPDATE:
! OMG i didn't realize that you had to dl and save the original plaintext...Like a fool, i was just compressing the newly extracted one from the encrypted file with extract.exe. gah >.<
BUT do you know what the funniest thing of all is? That using WinZip to make the new compressed file, the bytes are more! But using Winrar the bytes are 1245. Wow... epic challenge fail.

Great..now I'm at the m****u*h.**p part, I submit the altered stuff and i get a blank screen,go back to view the messages and get a blank screen again! is that a bug or am i missing something?

[Yaulp]

Just to advise windows users that dont have in mind to install Linux just for that kind of waste of time,
pkcrack will only say "Sorry, not enough memory available" on windows NT 6.1 (windows 7).
I do not see the interest to spend hours on how to crack an archive where we must have some files already, i think its an unreal case.
Nevertheless thx for the 14 others realistics missions, trained me a lot!

Cheers

[impulse_x]

I'm struggling with getting the unzip.zip file.

I have pkcrack for Linux. I'm using the linux zip program. (Is this ok?) I'm not getting the right size for the zip file.

zip -9 i.zip index.htm gives me 1408.

I've also tried on my windows box using Winrar, but that zips to 1356.

So even attempting the pkcrack doesn't work.

pkcrack -P b*.z* -p m*...tm -C index.zip -c index.htm -d unzip.zip

This produces:

Generating 1st generation of possible key2_1251 values...done.
Found 4194304 possible key2-values.
Now we're trying to reduce these...
Done. Left with 6422 possible Values. bestOffset is 24.
Stage 1 completed. Starting stage 2 on Thu May 16 17:19:17 2013
Stage 2 completed. Starting zipdecrypt on Thu May 16 17:23:48 2013
No solutions found. You must have chosen the wrong plaintext.
Finished on Thu May 16 17:23:48 2013

So clearly I'm not doing this right. Under Linux, aside for zip, do I have any other options?

This is certainly an 'insane' mission.