Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Real 14.

By ghostghost | 9009 Reads |
0     0

Ok, this challenge consists of looking at the "structure" itself rather then doing a lot of looking around in the source etc.

Ok, you notice it say's FLog on the page. FLog? What is that? It is hbh native? Don't think so. Look at the side of the page where it says powered by FLog. If you view the source, you'll notice it's a link obviously. So click it! Hmm…it brings you to the authors home page. Interesting. Does it have any relevance to hbh? No, it doesn't. After all he's a hbh hater >: ( lol. Ok, ok, so we know this wasn't actually set up by hbh, it is powered by something other then it. Try going to releases and what not ;) just conduct a research on the product, and accumulate that information towards your advantage. As a big hint, why not google "FLog" flaws? ;)

Ok ok, did you find it? Good, but what on earth is that password thingy :S it's so confusing he can't remember that. That, my friend is a md5 hash. To get it into plain text, you'll need the following:

A hash dictionary attackin' program. I recommend hackin' the box, get it at hackinthebox.no-ip.org/HTB.exe. Or google "john the ripper"

Next you need a good wordlist. Basically, the program will read from the wordlist and try all words from within it to crack the hash. If it indeed matches with the hash, then it will give you a nice output. And we all aleady know what the login name is, so once you crack the hash, login, do what you got to do and congratulations, 40 points have been added ;) and thanks for reading my article, it's my first and I hope it helped!

it's a fairly easy challenge, but I guess it gives you a good practice on finding 3rd party bugs

Comments
ghost's avatar
ghost 18 years ago

that's cool!

ghost's avatar
ghost 18 years ago

yeah very simple real my real and SE are both gonna be hard level challenges :)

ghost's avatar
ghost 18 years ago

Could also mention downloading the flog and setting it up to see where important information can get saved is a possibility. Also MD5 Library on AIM can crack Md5 hashes almost instantly

What_A_Legend's avatar
What_A_Legend 18 years ago

it was simple but i would of looked for a flaw for hours if it wasnt for this article eplaining u have 2 research :P

ghost's avatar
ghost 18 years ago

the md5 libraries were def the way to go if you know how to use jtr and cain already

ghost's avatar
ghost 18 years ago

Yeah md5 library is good, I submitted some 2800 words I believe =) type top 10 I'd be that bahbahbah guy lol

solo's avatar
solo 18 years ago

yeah i agree with the_flash,,, by downloading and setting up the flog we come to know where the critical info is going and how the Flog is behaving… :)

AldarHawk's avatar
AldarHawk 18 years ago

I am very disapointed that this is already allowed. the challenge was just released and the article that tells the exact way to beat it is allowed within like 24 hours! WTF!

ghost's avatar
ghost 18 years ago

don't worry too much alderhawk ;) I like the challenge.. but it's just too easy. It needs a part 2 or something.

anyway, don't use jtr, use google :P

AldarHawk's avatar
AldarHawk 18 years ago

It has nothing to do with the difficulty of the actual challenge. Just the fact that it was released in 24 hours of the challenge being released is what is pissing me off. If you created a challenge and someone released an article on how to beat it less than 24 hours after it was released you would be upset too. I am working on a harder one now BTW. I do not know if it will be usable but we will see ;) This one will use quite a few tricks of the trade that are not even listed on this site.

ghost's avatar
ghost 17 years ago

i didn't download Flog i just google flog exploits. now just cracking the hash with C&A

NightSpyder's avatar
NightSpyder 16 years ago

Hey, I've been trying to do this challenge for some time now but everytime i get the chance to do it, there is something wrong with the information I seem to find on Google. The website for FLog is halted by its host. I found a site that gave me a link to the exploit and the site is no longer available. I'm seriously picking my brain to do this challenge, and it just seems like I am never going to get it done.

ghost's avatar
ghost 13 years ago

It sucks that the author's website is gone, I have to use wayback machine.

zmhack's avatar
zmhack 6 years ago

clicking the "Powered by FLog" link took me to a Wix error page saying "Looks Like This Domain Isn't Connected To A Website Yet!" Googling "FLog" has not supplied anything even remotely useful. searching for "FLog" on securityfocus.com was also a bust.

zmhack's avatar
zmhack 6 years ago

grr!!! :o even the sourceforge.net/p/fblog is inactive with no files for viewing. i tried wayback machine and found the files but i can't download them. grrr!! :o