Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Real 8

  1. Home
  2. Articles
  3. HBH Challenge Tutorials
  4. Real 8

Real 8

By ghostghost | 7625 Reads |
0     0

For this one, im assuming: 1.You have access to a server in which you can run php scripts with cURL installed. 2.You have some knowledge on php. 3.You want to learn, not just steal other peoples work.

Ok, so there is 3 main steps to this bruteforcer: -take password -test it -echo answer

We need a dictionary on passwords, you can get them here: http://www.outpost9.com/files/WordLists.html

get a wordlist, name it dic1.txt and upload it to your server, in the same dir as your php script will be.

( 1 ) To select each word we need to use a loop. We will use !feof(). This mean 'Not end of file'. Before this we must open to the file and assign this to a variable:

$fh = fopen("dic1.txt", "r");

The "r" parameter means its read-only.So, after weve opened this, we need to start the loop:

$fh = fopen($dic, "r"); while(!feof($fh)) { $pass = fgets($fh,1024);

[CODE HERE]

}

The fgets function justs gets the line of the file.

( 2 )Now we need to test the passwords on the url: http://www.hellboundhackers.org/challenges/real8/admin.php

To do this we use the functions included in cURL. If this isnt installed on your box, just ask your server admin nicely :)

I dont want to give this challenge away so im going to leave this bit to you, although i will give you this bit of help:

$curlPost="uname=admin&pword=$pass&Submitted=True";

( 3 ) We must find some words that distinguish a bad login from a successful one, in this case its "Incorrect Username/Password", but "Incorrect" will be enough.

To search the contents of our received page will use the eregi() function where $data is the contents of the retrieved page.

$result = eregi("Incorrect", $data); if ( $result == 0 ) { echo "$pass3 is the password!"; break; }

the break statement cancels the while loop, because we dont want to keep searching even after we've found the pass.

Ok, so i hope i havent given too much away. This can be adapted to brute force many web-based login systems. Of course, there are other ways to do this, but this is just the way i did it.

I hope this helped,

Thanks, Will.

Comments
ghost's avatar
ghost 18 years ago

nice,why not add a bit about the getting hellboundhackers rules in the logs.

ghost's avatar
ghost 18 years ago

mistake: echo "$pass3 is the password!"; should read: echo "$pass is the password!";

ghost's avatar
ghost 18 years ago

thats why i didnt give them the cURL stuff, i gave them the opportunity to learn these special functions.

ghost's avatar
ghost 18 years ago

Befor ethey changed the pass you could just gues sit.

ghost's avatar
ghost 18 years ago

well you cant guess the new pass very easily, so this is why i wrote this…. :/

ghost's avatar
ghost 18 years ago

hint: also use curl for changing referer to what needs to show in the logs

ghost's avatar
ghost 18 years ago

I just did a buffer overflow attack

ghost's avatar
ghost 18 years ago

At first I did the buffer overflow not knowing this was possible, then I got curl working and did it this way. Great article. :)

ghost's avatar
ghost 17 years ago

thats smart a-hack i just tried it and it worked.

Death_metal666's avatar
Death_metal666 13 years ago

at first i had completed it by using buffer overflow attack. After reading this article i try this way too 100% working. nice article man