basic 23

a slight direction for this challenge please. my guess is there should be a admin panel somewhere and most probably its on show.php?page=(wtf here) any one who can lend a word of helpness

no

thanks for the one word. :D

I have this "You are on the right track, you just need to think of how you can exploit this vulnerability" but i don't see where is my mistake so i am really stuck.

dada85 wrote: Too big spoiler i think :|

That's not a spoiler.. that's a walkthrough :angry:

Could an admin or a moderator please edit that post?

The_Cell wrote: [quote]dada85 wrote: Too big spoiler i think :|

That's not a spoiler.. that's a walkthrough :angry:

Could an admin or a moderator please edit that post?[/quote] Did you read desperanto's post before he edited it ?

done :)

dada85 wrote: Did you read desperanto's post before he edited it ?

I did mean that post but quoting it yet again seemed a bit pointless ;)

whata are we looking for in this challenge?

PHP S**** Try Googling iT !!;)

lol, how can we google it if all we know is php S?

bigggnick wrote: lol, how can we google it if all we know is php S?

lol qft. I thought he was referring to a PHP [spoiler], but it could be a number of things. :[

[spoiler removed by Richo]

lol…guess

well you're googling for the sensible thing to upload when you find RFI

[[SPOLIER]]

what do you want me to do, the challenge for you?

go try it!

fiixed spoiler.

Think hard before posting

moshbat wrote: i googled RFI or LFI and all i got was a load of different exploits for yahoo webcam 8.1 could anyone tell me (or at least hint) what i am supposed to do?

Why don't you look up what RFI stands for and look how it is being used in the exploits…

this had me confuzzled for a while. I knew exactly how the exploit worked, just not what it wanted.

mido gave the best hint, there's the right number of 's in the word. the way I completed it, it utilizes a common s***.

man that was easy i just wasnt including the right thing i was trying to get the password from etc/passwd.txt and then what_a_legend helped me out i feel stupid for not thinking about it

your not supposed to look for a passwd just include Something you would include in a normal attack at RFI or LFI heres a big Hint c99

moshbat wrote: why does system allways make challenges that confuse me.

am i supposed to be looking in c/passwd or /shad ??? and the directory transversals confused me :S

It's not LFI

moshbat wrote: why does system allways make challenges that confuse me.

am i supposed to be looking in c/passwd or /shad ??? and the directory transversals confused me :S

Erm, I didn't make this challenge…

its a PHP S**** that the challenge checks for i believe

maybe this will help [[spoiler removed]] look up c99.txt in google and youll also know what it is

RE: Spoilers: Guys, do some research on RFI. it'll come easily.

[edit by Richo]

mr noob wrote: its a PHP S**** that the challenge checks for i believe

So you need to use a real php s****?

read this, it might help with your rfi research :)

http://www.hellboundhackers.org/articles/705-Common-Internet-Exploits.html

Skunkfoot wrote: read this, it might help with your rfi research :)

http://www.hellboundhackers.org/articles/705-Common-Internet-Exploits.html

Ahhh that was much easier than I originally thought. Thnx skunk :)

;)

[edit] removed hints

i decided that if anyone cant get it after all the spoilers they are lacking intelligence. if you still dont get it after the hints in this thread then im pretty shocked [/edit]

Now you guys FUCKED UP the whole challenge.

I did it in 1 min.

You should of write answer for the mission. (You almost did). I wonder why Richo didn't edit those few posts.

WHY NOT MAKE PEOPLE THINK FIRST???

Fucking spoilers…..

ok… i know what to do, you include a s****, but ive tried all the ones i know and none of them work, even with things like ? & and %00 on the end :S

too complicated think simpler and pay attention to the c99.txt hints pm me if you want

kaksii wrote: Now you guys FUCKED UP the whole challenge.

I did it in 1 min.

You should of write answer for the mission. (You almost did). I wonder why Richo didn't edit those few posts.

WHY NOT MAKE PEOPLE THINK FIRST???

Fucking spoilers…..

great help there kaksii… quoting yourself… ingenious

That means that you shouldn't be asking more wuestions about challenge.

It is all there

i know how to exploit RFI and LFI, just not the challenge-specific things that make challenges so… unrealistic :/

mr noob wrote: ok… i know what to do, you include a s****, but ive tried all the ones i know and none of them work, even with things like ? & and %00 on the end :S

PM me with what you're trying mate

too late he pm'd me

OH for christ's sake, the mission is simple, but the objective is kinda wierd. Yeah, its got rfi written all over it. But how are we supposed to know we must try to use ls cmd? I tried to format, rm, mv, chmod and all sortof wierd commands (which I thought were more lethal), and its like: You are on the right track, you just need to think of how you can exploit this vulnerability

So, for those not getting it, but think they got it, try ls.

if anyone is still not getting it they can pm me with what they have got (or what they think they have) and il give them a small nudge in the right direction but no spoilers and no spoonfeeding

well i have read all of the post and think i know the S**** and i have done a good amount of research on both RFI and PHP S**** but am still coming up empty handed….i am half asleep so feel free if you think i should have the answer knowing all that i have stated thanx

noober wrote: well i have read all of the post and think i know the S**** and i have done a good amount of research on both RFI and PHP S**** but am still coming up empty handed….i am half asleep so feel free if you think i should have the answer knowing all that i have stated thanx PM me with what you had tried.:)

I guess this mission is just created to collect several locations of shells … but remember. most shells in the inet are infested with pictures showing the programmer of that shell where it has been used… so write your own or modify an existing and crosscheck it with an apache + wireshark

Can I PM someone for help on this misson?

I have the S**** refrenced, but all I'm getting is "You're on the right track…"

Still having trouble with basic 23 I have no idea what the challenge is and what to do to solve it please help…. :(

Basic 23: a good friend of mine mentioned something about RFI Find out what this is first.

Could anyone please help me? I understand the technique I have to use, but the challenge is coded so poorly that it will only accept special commands. I have tried to write a script that reads the directory tree, but to no avail.

Any suggestions?