Please ask questions only in this topic.

[firextin87]

Hi all...
ok I solved this mission but there is something not so clear for me: the final part of the mission. I don't understand because I need to use "that symbol" to retrieve the admin account. I try to figure out the system, I think that the page m******r.c** uses a SQL query to retrieve the information, and I suppose this query is: SELECT * FROM [tab_name] WHERE username=[id], so if I use the parameter I used the query would be: SELECT * FROM [tab_name] WHERE username=[the_symbol_I_used]. What I can't understand is because this query work with that symbol
I hope I explained, and please excuse me for my bad English.

[horrorshow1984]

Thanks for this great challenge, that was so cool =)

[Zanna1x9x]

I've completed this mission, but, like firextin87, I'm still not understanding why the use of "that symbol" let me see admin's datas.
Is there someone who I can PM to have some more informations?

[muddassir]

Hello Fellow Hackers,
I just fiddled through all the pages and after I came to the forum, the first post I read was about "poison null byte". How did you people even get the idea of utilizing this technique here? That's my question

[h2athts]

Hey all. For you who are stuck. forget the trying to bypass the perl check script in m********.**i as it can give you a valid id but not the one you need. If you follow that path, just compare the script input with all the functions in itself and try them out until a positive match. All you need is in that perl script.
After that dont forget this might not be related with sql and the script is taking other functions from another kind of database script that might be simple, like this symbol you use to get all possible names in querys.

[Faithe25]

Hey everyone,

I used the NULL Byte to view the source of a specific CGI file. I wrote a simple java program to determine the correct id, and was able to login to that CGI file. I was able to find an admin username and password. However, when I log in using these credentials I see a page that says "...and of course... It's not that easy to beat this mission."

Could someone please point me in the right direction from here.




Also, I do not know Perl, so I may have missed a few things in those scripts.

Thanks for your help, everyone!


NVM: There were cookie issues....

[conscience]

It's been awhile since I've completed 'the reals', so I decided to go at them again.
I now feel embarassingly stupid
This mission is incredibly easy! Yet I spent hours trying to figure out what to do! Although I didn't remember anything about this, it should have taken like 5-10 minutes or so. I 'walked by' the file that gave me the admin username at least twice without noticing it is what I'm missing. When it suddenly hit me, it hurt. Especially so when I realized how much I poked around in vain searching for this info.

Once you figure out you can leverage n***.cgi to look around the files and folders, it's really a piece of cake.
You see some CGI files of importance, the source of one of which tells you it'll let you in if you can match a certain range of integers. Well, I simply replicated the functionality in JavaScript (5 lines of code) and since the algorithm is straightforward, it was fairly easy and quick to figure out what to throw at the page to gain access to user info.
Now you need to find who the admin is to be able to query him, and if you're like me, you'll take a look (or several) at the file key to this, go on, and then pull out all your hair when you realize your own stupidity
As soon as you have the username of the admin, you make the query, and, now knowing far more about him than you need, you just need to log in...

Five easy steps, really:
1. You find script1, the one to be used for looking around
2. You find script2, which will give you user info once you get in
3. You analyze the source and quickly figure out an 'id' that'll let you in
4. You find the file with the username of the admin and slap yourse... erm... I mean you use this info to query him
5. You log in with admin credentials and go to script3

This was ultra fun!

[EDIT]

Hello Fellow Hackers,
I just fiddled through all the pages and after I came to the forum, the first post I read was about "poison null byte". How did you people even get the idea of utilizing this technique here? That's my question

Well, if you have never heard about or experienced the phenomena, you have minuscule chances of figuring it out. On the other hand, if you know such things exist, it's kind of automatic to check how the app reacts if you try to terminate a string in the middle. It's a very basic technique. I don't remember if there exists a Basic mission about it, I think there's none alike, but it'd definitely be a must have.