Beta Testing Real 16

http://www.hellboundhackers.org/challenges/real16abc/real16/

thats the URL.

Here is the info:

A member called Mozzer, works as a freelance webdesigner in his spare time. One of his projects from 6 months ago turned out to be for a corportate spamming company. When he went back to check on it he was horrified and set about trying to hack his own code. Unfortunately he couldn't find anything but noticed that there have been some slight alterations to his code! He mentioned something about "common directories", "session management" and "include files". He said that once you get access you will need to use the post system to edit the email database to say "admin@spamco.com". Hopefully a dose of their own medicine will sort this company out!!

Have fun, its quite hard and it teaches an exploit that hasnt been shown on HBH yet and is rarely talked about.

If you need any hints etc, let me know.

Anyone to complete it, please post below, and also report any errors you get.

At the moment its EM only for beta testing, so do not release this to other non EM members on HBH.

thanks.

and yeah i'll probs work on a new GUI of the challenge soon.

oh also forgot to mention, this challenge is brought to you by Mozzer.

Yeah, the challenge design was a 4 second job. Not much of a designer myself

I think the dir i**/ should list the files, like it's supposed to…

yeah, bit sketchy about all of the challenge code being given out though. dont want it all being taken. i'll consider it, perhaps have a fake directory listing and only show a handful of files.

i'll see.

What about /l**s ?

The fact the users can see those files is 1/2 the point

hmm, not quite sure where to go from here…

i've made it to the i** folder, but that's all i got…that and the two comments in the source…Include the CSS and MORON!!!

Beyond that i'm stuck.

has anyone actually completed this challenge?

Anyone…?

As mozzer should know, I'm pretty much finished, but everytime I try to do the bit with the email, it logs me out and I have to start over, which started pissing me off so I gave up

I wonder whether you had finished and whether he had been checking his headers properly…

mozzer wrote: I wonder whether you had finished and whether he had been checking his headers properly…

I know you have to decode the md5 useragents and set the admin one as yours, but that's going to take years!

Actually, as long as Mr_Cheese hasn't changed it, it should take around 2 hours on a standard computer

only thing i changed was, removing the db stuff and removing logging.

and adding a few index.html to will remove a few unimportant .inc's coz dont want the whole challenge code being grabbed.

Mr_Cheese wrote: only thing i changed was, removing the db stuff and removing logging.

and adding a few index.html to will remove a few unimportant .inc's coz dont want the whole challenge code being grabbed.

Uhm, I thought the idea was people could see the .inc's so they'd get an idea of what they're supposed to do…

yeah but some inc's arent needed.

so i'll keep the index.inc and maybe one other, but others i'll remove.

Can you create a fake dir listing showing what files are there (that you want people to see) then?

thats theplan :)

it be released on wednesday