Jump to content
Posted 15 August 2004 - 09:32 PM
Posted 16 August 2004 - 08:47 PM
Level 5: “smokehouse” Level 5
Sam has gotten wise to all the people who wrote their own forms to get the password. Rather
then actually learn the password, he decided to make his email program a little more secure.
This one is insidious. The thing that threw me was the wording above. In
actual fact this problem is almost identical to the last one, except you
need to fake your referrer URL. There are two obvious ways to do this.
The first is to use curl. This makes the problem ridiculously simple. Just
“curl --referer http://www.hackthissite.org/web/level5/index.php -d
into your favourite unix box with curl installed. I don’t have curl installed
on my machine, and if you’re reading this, it’s likely you don’t either, or
don’t know how to use it. So we’ll go for the second method: telnetting to
This is actually a much more complicated method, since we’ll be talking
HTTP directly to the webserver – the advantage is that it’ll work anywhere
a telnet client is available, which is basically everywhere. I’ll save you the
laborious details of how most of this request was generated (I used the
unix “nc” netcat utility and a dummy form which connected to a special
port), and just give you the data to copy and paste.
POST /hack/level5/level5.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461;
COME.TO/KEWN M8888888S!!!; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
The above needs a little bit of effort to make it work. First, change the
email address to your email address. Next, count the number of
characters (including the three for “to=”) and change the “Content-
Length” variable to that value.
Now, open up a telnet session to www.hackthissite.org on port 80 (this is
achieved by typing “telnet www.hackthissite.org 80” into your command
prompt on whatever operating system you are running)
As soon as it connects (you won’t see any data coming from the server, so
just give it a few seconds and assume its connected) copy and paste your
created request into your telnet session and press enter a few times.
If it worked, it should say somewhere in the returned text that the
password was sent. Something like this, then the connection being lost:
HTTP/1.0 200 OK
Date: Fri, 11 Jul 2003 05:10:06 GMT
Server: Apache/1.3.20 Sun Cobalt (Unix) Chili!Soft-ASP/3.6.2 mod_ssl/2.8.4
SL/0.9.6b PHP/4.1.2 mod_auth_pam_external/0.1 FrontPage/184.108.40.206
X-Cache: MISS from bri-pr1.tpgi.com.au
Password reminder successfully sent.
After both these steps, check your email for the password!
Edited by HuckerJ, 16 August 2004 - 08:48 PM.
Posted 17 August 2004 - 07:58 AM
Posted 25 August 2004 - 04:45 PM
Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux
and a custom Linux From Scratch server hosting a bunch of top secret stuff.
0 members, 0 guests, 0 anonymous users