Security Game
Results 1 to 7 of 7

Thread: Security Game

  1. #1
    Junior Member
    Join Date
    Jan 2003
    Posts
    3

    Security Game

    http://quiz.ngsec.biz:8080/game1/level2/l33t.php

    Can somebody please explain this? I read the "useful reading" on the page, asked some friends, but still, I can't figure it out. I've been trying for a couple hours and nothing's working. I'd love to know how to do it, or be pointed in the right direction of how to figure it out.

    Thank You

    PS
    I'd also like to mention that I googled and checked RFC1.1 for information.

  2. #2
    Senior Member SodaMoca5's Avatar
    Join Date
    Mar 2002
    Posts
    236

    How To

    From my reading of their hints you telnet to your own server or even set up a local server and use their steps to change the HTTP information sent from that server.

    Since I am at work and not willing to mess with our servers to test this I hope this helps clarify a bit.

    Hope this helps.
    SodaMoca5
    \"We are pressing through the sphincter of assholiness\"

  3. #3
    Junior Member
    Join Date
    Jan 2003
    Posts
    3
    Thanks

  4. #4
    Member
    Join Date
    Dec 2002
    Posts
    88
    Im not exactly sure about what they want you to do, but I suppose they want you to gain access using the referer value set by you . Don't know if its also using the password for the previous level and asking you to use the new referer to bypass a new level of security.. . I suggest you have a look at the html code, pay attention to the form action, and the values used. Then, access it via telnet and use the method (GET for instance) to access the page, giving the username and password and setting the new referer valu. Sure, I am not assuring you its the way, since I havent gone through the other levels and I am not registered there, to retrieve more info. But if I was playing, and it was all information i had, I would use the documented way of spoofing referer value, and use GET method to retrieve the file mentioned in the code (form action = ) , sending the name and password as parameters. It would be something like file.php?name=example&password=thisoneishardtoguess . Well, you are supposed to solve it on your own, it's a game, after all.. I'm not even playing, so it's better not try to steal your fun. And mainly because I dont have enough information to give you more than some guesses..

  5. #5
    Junior Member
    Join Date
    Jan 2003
    Posts
    3
    Yeah, I already tried extracting the password from the source, but the source doesn't tell you. However, it does tell you that the login is "admin" and that the submit button with value "Submit" calls the form action "validate_l337.php" (with method "get") where I'd assume the information is stored and validated for authenticity. But that's all the source tells me. From there I'm not really certain on how to proceed.

  6. #6
    Member
    Join Date
    Dec 2002
    Posts
    88
    try using the old password and setting the new referer. It seems that the only problem is spoofing the referer. I think.. (will it work? :/ ).
    duh.. im spoiling..

  7. #7
    Junior Member
    Join Date
    Jan 2003
    Posts
    2
    iīm trying to,nice game but donīt have better luck then you

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •