Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Real 12


inyourcloset's Avatar
Member
0 0

So… I've read all the other posts on the matter, along with the articles for it. But I'm stuck at the very beginning. I can't seem to locate the dir, or any place that I could get info from, such as a hash, or users. Am I supposed to find the correct PNB to inject into "index.php?page=cafe.php"? I've tried many combinations for dir's, searching through their sources, checking headers, and cookies, etc. But I'm still clueless. The only article for this challenge mentions the similarity of this to basic 9, 10, and "Willy's" php exploits. I cannot find a user with that name, and I have yet to find a google result.

I need a hint.


Huitzilopochtli's Avatar
....
10 9

This was a cool challenge with 2 totally different ways you can complete it, and like the article says its very like basic 12.

Also there is no "correct" null byte, but you dont need one here anyway.


inyourcloset's Avatar
Member
0 0

I don't understand how it resembles basic 12. Sure, there's a protected dir. Sure, there's a protected .htaccess, and, .htpasswd. But unlike, basic 12, they don't give you the password hash at the beginning. I've tried everything I can think of that I've learned so far (which should be enough, according to the article, at least to get the admin).

The only other thing I can think of is maybe I should try using some type of fuzzer to check for dir's I can't think of?


rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

If you're looking for directories using the page= part it won't work, as thats only for filenames, you'd have to add the directories at the sites root. Anyway, you already mentioned two filenames in your last post, did you even try to look at either of them ?


inyourcloset's Avatar
Member
0 0

@rex I'm aware of not adding the dir's to the search. Yep, all I get is a popup login. Which I can't mess with. The error page it gives after aborting the request doesn't tell me anything useful, neither does it's source, and neither does the headers, or other info I can think to try and pull from it.

EDIT So, I didn't know there was a help bot on the side bar. So I asked it, and it suggests I look for a .txt file that I'd use to login?

I'm begining to think I didn't do that basic level the way they expected me to. Because I get referenced to: https://en.wikipedia.org/wiki/File_inclusion_vulnerability Sooooo maybe LFI will be useful in my situation now.


rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

There was only one way to do that basic, maybe you need to go look at it again, then maybe you'll know what to do with the directory name and the filename you know exists in real 12.


Huitzilopochtli's Avatar
....
10 9

If you wanna go the easier .txt file way, just use the filename, and forget the directory.


inyourcloset's Avatar
Member
0 0

Thank you guys for being so great at teaching! I went back and redid basic 12 again, as rex suggested. It's the info I needed. Sorry for being so dull minded at times.


Huitzilopochtli's Avatar
....
10 9

It's cool man, nobody is more dull minded than me. thumbs up