Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Basic Web Hacking 5


henry123456789's Avatar
Member
0 0

first I want to write bitterly that it is a shame and a pity that I see these two links which give the solutions :

https://www.hellboundhackers.org/articles/read-article.php?article_id=94

https://www.hellboundhackers.org/articles/index.php?cat_id=10

I hate them and the idea in itself

Concerning the challenge

The format of the solution is like this :

username:password

from the source I know the username and the password

admin:* (* is a word which in turn is the password)

I submitted the solution but it says invalid password !! I am sure I know what word replaces the asterisk and that my solution is right

I can pm someone the solution to check it for me so that I do not spoil

or may be I can get a hint here in the forum


Huitzilopochtli's Avatar
....
10 9

Best read the article again if you're using admin as the username.


henry123456789's Avatar
Member
0 0

there is absolutely no logic and no sense in this challenge :

The challenge asks for the username and password . They must be entered in the following format :

Username:Password

However the article says another thing totally different which has nothing to do with the format of the solution :

"Somebody @ Somwhere . Something Replace the . with a : instead and you only need to fill in the bottom passwd box with the email."

the article says that the solution is an email in a weird , odd format

"Somebody @ Somwhere : Something

so I wonder why from the beginning it is not stated that the format of the solution must be an email in the format Somebody @ Somwhere : Something? I mean instead of putting :

Enter Username:Password:

it will be

Enter Somebody @ Somwhere : Something and that is all !!

secondly , if the second form (Search an E-mail:) serves nothing to the challenge so why is it put there !!!! for what reason?

thirdly , if we suppose that "Somebody @ Somwhere : Something" is the solution to the challenge , is Somebody the username and Somwhere the password ?? and if yes what is the Somwhere? what does Somewhere supposed to be ?


Huitzilopochtli's Avatar
....
10 9

I wonder why from the beginning it is not stated that the format of the solution must be an email in the format Somebody@Somwhere:Something

The challenge itself tells you about the form and how it's intended to work, it's obviously not going to explain how to exploit any vulnerabilities in it.

if the second form (Search an E-mail serves nothing to the challenge so why is it put there !!!! for what reason

It's supposed to be part of the asterix system, other wise you would be looking at a login form, and not a supposed search system.

thirdly , if we suppose that "Somebody @ Somwhere : Something" is the solution to the challenge , is Somebody the username and Somwhere the password ?? and if yes what is the Somwhere? what does Somewhere supposed to be ?

Don't know.


henry123456789's Avatar
Member
0 0

"The challenge itself tells you about the form and how it's intended to work, it's obviously not going to explain how to exploit any vulnerabilities in it."

I am talking about the format of the solution not how to exploit it . The challenge does not tell me that the format of the solution must be somebody@somewhere:something . The article does . The challenge tells me that the solution must be in the format Username:Password . No one would expect the solution to be somebody@something:somewhere if the article did not mention it

As for the vulnerability I googled about Asterix protect system but I could not find any tutorial associated with it .

"It's supposed to be part of the asterix system, other wise you would be looking at a login form, and not a supposed search system."

if it puts Enter somebody@somewhere:something instead of Enter Username:Password I will look for somebody@somewhere:something and not a login form :)

"Don't know"

You already solved Basic Web Hacking 5 so you know if in somebody@somewhere:something , the somebody is the username , the something is the password and what is the somwhere :)

I know the username and the password but I do know how to put the solution in somebody@somewhere:something there are three elements but I have only two elements the username and the password . What am I supposed to do . Any hint?


rex_mundi's Avatar
☆ Lucifer ☆
3,050 12

Years ago you could sign into sites using the username:password@email.com format.

Im assuming that this is based on that idea, and by entering a string in the format the article says, i.e. in a format it's not expecting, it causes the code to throw an error.

Use * for what you don't know, which is everything.


henry123456789's Avatar
Member
0 0

I do not like this challenge .

this is not a spoil as it is in the source code <!–attention admin: * is a wildcard –>

Enter Username:Password would be

admin:wildcard . Challenge solved

This is what I expected

May be I am still far a newbie to perceive more deeper but this challenge is not good at all