Real 14.
Real 14.
ghost | 8835 Reads | Ok, this challenge consists of looking at the "structure" itself rather then doing a lot of looking around in the source etc.
Ok, you notice it say's FLog on the page. FLog? What is that? It is hbh native? Don't think so. Look at the side of the page where it says powered by FLog. If you view the source, you'll notice it's a link obviously. So click it! Hmm…it brings you to the authors home page. Interesting. Does it have any relevance to hbh? No, it doesn't. After all he's a hbh hater >: ( lol. Ok, ok, so we know this wasn't actually set up by hbh, it is powered by something other then it. Try going to releases and what not ;) just conduct a research on the product, and accumulate that information towards your advantage. As a big hint, why not google "FLog" flaws? ;)
Ok ok, did you find it? Good, but what on earth is that password thingy :S it's so confusing he can't remember that. That, my friend is a md5 hash. To get it into plain text, you'll need the following:
A hash dictionary attackin' program. I recommend hackin' the box, get it at hackinthebox.no-ip.org/HTB.exe. Or google "john the ripper"
Next you need a good wordlist. Basically, the program will read from the wordlist and try all words from within it to crack the hash. If it indeed matches with the hash, then it will give you a nice output. And we all aleady know what the login name is, so once you crack the hash, login, do what you got to do and congratulations, 40 points have been added ;) and thanks for reading my article, it's my first and I hope it helped!
it's a fairly easy challenge, but I guess it gives you a good practice on finding 3rd party bugs
ghost 17 years ago
Could also mention downloading the flog and setting it up to see where important information can get saved is a possibility. Also MD5 Library on AIM can crack Md5 hashes almost instantly
What_A_Legend 17 years ago
it was simple but i would of looked for a flaw for hours if it wasnt for this article eplaining u have 2 research :P
ghost 17 years ago
the md5 libraries were def the way to go if you know how to use jtr and cain already
ghost 17 years ago
Yeah md5 library is good, I submitted some 2800 words I believe =) type top 10 I'd be that bahbahbah guy lol
solo 17 years ago
yeah i agree with the_flash,,, by downloading and setting up the flog we come to know where the critical info is going and how the Flog is behaving… :)
AldarHawk 17 years ago
I am very disapointed that this is already allowed. the challenge was just released and the article that tells the exact way to beat it is allowed within like 24 hours! WTF!
ghost 17 years ago
don't worry too much alderhawk ;) I like the challenge.. but it's just too easy. It needs a part 2 or something.
anyway, don't use jtr, use google :P
AldarHawk 17 years ago
It has nothing to do with the difficulty of the actual challenge. Just the fact that it was released in 24 hours of the challenge being released is what is pissing me off. If you created a challenge and someone released an article on how to beat it less than 24 hours after it was released you would be upset too. I am working on a harder one now BTW. I do not know if it will be usable but we will see ;) This one will use quite a few tricks of the trade that are not even listed on this site.
ghost 16 years ago
i didn't download Flog i just google flog exploits. now just cracking the hash with C&A
NightSpyder 15 years ago
Hey, I've been trying to do this challenge for some time now but everytime i get the chance to do it, there is something wrong with the information I seem to find on Google. The website for FLog is halted by its host. I found a site that gave me a link to the exploit and the site is no longer available. I'm seriously picking my brain to do this challenge, and it just seems like I am never going to get it done.
zmhack 5 years ago
clicking the "Powered by FLog" link took me to a Wix error page saying "Looks Like This Domain Isn't Connected To A Website Yet!" Googling "FLog" has not supplied anything even remotely useful. searching for "FLog" on securityfocus.com was also a bust.
zmhack 5 years ago
grr!!! :o even the sourceforge.net/p/fblog is inactive with no files for viewing. i tried wayback machine and found the files but i can't download them. grrr!! :o