Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Realistic 11


Realistic 11

By mikispag avatarmikispag | 10732 Reads |
0     0

Detailed tutorial to beat the most difficult Realistic challenge (worth 150 points)!

Objectives:

Clear the database Delete all the pages

Skills and prerequisites:

Basic programming skill (cURL, PHP, Javascript, HTML) Application cracking and debugging

Tutorial:

Let's view the homepage: there's not so much there, so have a look at the Staff page. From there you will be able to see a picture and a list of names. Now click on "Client Login". That page has got a (very basic) protection: when you insert a bad username/password combination, the form fields will be disabled and you'll be locked out. If it happens you should simply delete your "PHPSESSID" cookie and refresh the page. Click on "Help": the last point is very important. Now you should try every username you've found on the "Forgot password" page: there's only one valid user. Write down that username. Now you need its password. Go back to the login pageā€¦ but, wait. What's the form action? Go to that URL, you'll be redirected: that's not what we're looking for. You need to view the source of that page: you'll find something very interesting! Ok, now you have the password too, so log in.

In the admin panel you'll have two options: "Remove Database" and "Delete Pages". You should complete them in that order. You'll clear the database by doubling a random number and submitting it in less than one second. You will realize that it is impossible to do that manually: you'll need to code up something for that. The simplest solution is to use Javascript: use document.body.innerHTML to retrieve the page content and location.replace("?number=") to submit the form.

In order to delete pages, you'll have to download a certain software called "KeyCheck". It is a Windows executable, and obviously it is a FILE. In which directory would you place a FILE? Ok, now it's time to crack it: open it with OllyDbg. Right click on the main window and choose "Search for -> All Referenced Text Strings". You'll notice that there's a nice UNICODE value there. You should convert it to another format, and CAPITALIZE (hint!) the result in order to pass the password check. The "Check" button is now named "Decrypt". Insert the random string provided by the admin panel and click on "Decrypt". Paste the result.

Congratulations! You've completed the challenge, and earned 150 points!

Please feel free to rate this article if it has been useful for you :)

Comments
ghost's avatar
ghost 17 years ago

Nice article miki, I wanted to do it with JS before but I was missing that little part :D

ghost's avatar
ghost 17 years ago

Nice the javascript part.

ghost's avatar
ghost 17 years ago

This should help all of you guys out -> http://www.w3schools.com/js/js_obj_string.asp

What_A_Legend's avatar
What_A_Legend 17 years ago

Nice article helped me het so far,

mikispag's avatar
mikispag 17 years ago

Thank you for your great ratings and comments! I'm glad to help you!

ghost's avatar
ghost 17 years ago

Nice one.