Page 12 of 13

Re: Please ask questions only in this topic.

PostPosted: Fri Mar 21, 2014 9:30 am
by firextin87
Hi all...
ok I solved this mission but there is something not so clear for me: the final part of the mission. I don't understand because I need to use "that symbol" to retrieve the admin account. I try to figure out the system, I think that the page m******r.c** uses a SQL query to retrieve the information, and I suppose this query is: SELECT * FROM [tab_name] WHERE username=[id], so if I use the parameter I used the query would be: SELECT * FROM [tab_name] WHERE username=[the_symbol_I_used]. What I can't understand is because this query work with that symbol :(
I hope I explained, and please excuse me for my bad English.

Great Mission

PostPosted: Sat May 24, 2014 3:39 am
by horrorshow1984
Thanks for this great challenge, that was so cool =)

Re: Please ask questions only in this topic.

PostPosted: Sun Aug 16, 2015 12:21 pm
by Zanna1x9x
I've completed this mission, but, like firextin87, I'm still not understanding why the use of "that symbol" let me see admin's datas.
Is there someone who I can PM to have some more informations?

Re: Please ask questions only in this topic.

PostPosted: Fri Jan 01, 2016 4:06 pm
by muddassir
Hello Fellow Hackers,
I just fiddled through all the pages and after I came to the forum, the first post I read was about "poison null byte". How did you people even get the idea of utilizing this technique here? That's my question

Re: Please ask questions only in this topic.

PostPosted: Wed Feb 24, 2016 3:02 pm
by h2athts
Hey all. For you who are stuck. forget the trying to bypass the perl check script in m********.**i as it can give you a valid id but not the one you need. If you follow that path, just compare the script input with all the functions in itself and try them out until a positive match. All you need is in that perl script.
After that dont forget this might not be related with sql and the script is taking other functions from another kind of database script that might be simple, like this symbol you use to get all possible names in querys.

Re: Please ask questions only in this topic.

PostPosted: Sun Mar 20, 2016 8:24 pm
by Faithe25
Hey everyone,

I used the NULL Byte to view the source of a specific CGI file. I wrote a simple java program to determine the correct id, and was able to login to that CGI file. I was able to find an admin username and password. However, when I log in using these credentials I see a page that says "...and of course... It's not that easy to beat this mission."

Could someone please point me in the right direction from here.




Also, I do not know Perl, so I may have missed a few things in those scripts.

Thanks for your help, everyone!


NVM: There were cookie issues....

Re: Please ask questions only in this topic.

PostPosted: Mon Jul 04, 2016 2:09 am
by conscience
It's been awhile since I've completed 'the reals', so I decided to go at them again.
I now feel embarassingly stupid :lol:
This mission is incredibly easy! Yet I spent hours trying to figure out what to do! Although I didn't remember anything about this, it should have taken like 5-10 minutes or so. I 'walked by' the file that gave me the admin username at least twice without noticing it is what I'm missing. When it suddenly hit me, it hurt. Especially so when I realized how much I poked around in vain searching for this info.

Once you figure out you can leverage n***.cgi to look around the files and folders, it's really a piece of cake.
You see some CGI files of importance, the source of one of which tells you it'll let you in if you can match a certain range of integers. Well, I simply replicated the functionality in JavaScript (5 lines of code) and since the algorithm is straightforward, it was fairly easy and quick to figure out what to throw at the page to gain access to user info.
Now you need to find who the admin is to be able to query him, and if you're like me, you'll take a look (or several) at the file key to this, go on, and then pull out all your hair when you realize your own stupidity :mrgreen:
As soon as you have the username of the admin, you make the query, and, now knowing far more about him than you need, you just need to log in...

Five easy steps, really:
1. You find script1, the one to be used for looking around
2. You find script2, which will give you user info once you get in
3. You analyze the source and quickly figure out an 'id' that'll let you in
4. You find the file with the username of the admin and slap yourse... erm... I mean you use this info to query him
5. You log in with admin credentials and go to script3

This was ultra fun! :geek:

[EDIT]
muddassir wrote:Hello Fellow Hackers,
I just fiddled through all the pages and after I came to the forum, the first post I read was about "poison null byte". How did you people even get the idea of utilizing this technique here? That's my question


Well, if you have never heard about or experienced the phenomena, you have minuscule chances of figuring it out. On the other hand, if you know such things exist, it's kind of automatic to check how the app reacts if you try to terminate a string in the middle. It's a very basic technique. I don't remember if there exists a Basic mission about it, I think there's none alike, but it'd definitely be a must have.

Re: Please ask questions only in this topic.

PostPosted: Wed Aug 09, 2017 12:46 pm
by Starman11
I'm stuck on getting the ID from the perl script, can someone give me a nudge in the right direction? I've read all the posts in this thread but I'm not sure how to modify the script to get the correct ID. If I'm not mistaken there is another way to complete this level without messing about with Perl, but I would rather do it the way intended so I can learn a bit of brute forcing/code review, I can code in PHP but I'm new to Perl

SQL and PHP are my strongest languages :)

I think I'm going to have to skip this challenge for now because I haven't a clue what to do next

-- Thu Aug 10, 2017 6:47 am --

Completed it, but sort of cheated on this one too. I didn't bother with a perl brute forcer, there was another vulnerability in the cgi script I didn't know about. I attempted to learn a bit of perl though, and I will continue to do so, so that maybe one day I will be able to write my own brute force script :) the "wild" hint was very helpful for me, i' already knew what that meant

these missions are mainly about security although being able to code helps obviously, your first priority is being able to exploit code i would say. another slap yourself mission, but overall a fun experience

Re: Please ask questions only in this topic.

PostPosted: Tue Feb 20, 2018 12:49 am
by why tspace
I had no idea, nor could fathom about a null byte exploit before engaging in this mission. Once I actually knew where to put the null byte exploit, the rest came pretty easily after going through all the other missions before this. But it wouldn't have taken me 5 minutes like a poster above me said. I enjoyed this lengthy, hours-long hunt. I read every page I could, and tried cookie stealing, SQL injections, and looked out for any places with directories and scripts. It was hype and spicy.

Multiple ids will work for the perl script, and it was really fun coming up with one. I loaded the script into http://rextester.com/l/perl_online_compiler and did trial and error.

The extra touches in this mission, with the ants, organ donors, stock prices, Washington potatoes, the mockery on windows 7, and golden flakes, added charm to the mission that I have enjoyed across the others as well. ot letting us know that we're 31337? Unexpected and cool.

This was a really well crafted one. Kudos!

repairing JPEG images

PostPosted: Mon Nov 05, 2018 8:17 pm
by emerald_orb
hi-

is there a good resource to learn how to repair JPEG images? i'm a little familiar with JPEG headers and am comfortable editing files in hex using vim. i need to know how to find errors in a file beyond just reparing the header.

thanks!