Changing source code. -Hack this site level 4-

[deftones12]

telnet...level 5??? hmm...dont know why u'd need telnet. Its editin the webpages source again...just need a new trick to edit the URL, its a bit smarter this time.

[blue_wolf]

Alright I still cant get passed the 3 level....lol

Any hints?

[RunningDuck]

3's pretty simple. A litle crafty, but nothing you can't figure out.

You have to keep in mind that in order to check to verify that the right password was entered, the script has to have something to check it against. (well, in this case it does) It'll be a .txt file, and it's not a very creative name for the file that houses the password.

And since it's the password for level 4 you're trying to get, it's stored in the level4 folder.

So, try and piece together the directory where the password file can be found, and enter that in your web browser.

If you still can't get it, pm me and I'll help you out a bit more.

Now, for my question, if I don't use Telnet what am I supposed to do? Trying the same trick as Level 4 gives me a File Not Found error. Maybe I need to change the filename or directory?

EDIT: Hehe. It just told me "Invalid referring URL. Nice try!" and I can't decide if I was crafty and it's congratulating me or if I'm being predictable and it's mocking me.

[blue_wolf]

Thanx running Duck I am going to try that right now...

B-wOLF

[deftones12]

yeh i'm still gettin the nice try error also...guess ya just gotta play around a bit more. Haha...maybe hack his email? if someone posts here into reply of this level dont post the password please...a tiny hint would be ok but dont spoil it...i gotta get this level now :-/...lemme know running duck if u make any progress

hey running duck here's the website's code that i have so far...i think somewhere its hiddin that the button referes to a real URL or real email addy.



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<title>Hack This Site</title>
</head>
<body bgcolor="#FFFFFF" text="#293E6D" link="#1D2C4D" vlink="#1D2C4D" alink="#000000">

<center>
<hr color="#293E6D" width=500></center>



<table width=500 cellspacing=0 cellpadding=0 border=0 align="center">
<tr>
<td width=100 valign="top">
<font face="verdana" size=1>
HTS:

About

F.A.Q.

Top Scores



Jump to:

Level 1


Level 2

Level 3

Level 4

Level 5


Level 6

Level 7

Level 8

Level 9

Level 10

Level 11

Level 12

Level 13




</font>
</td>
<td width=400 valign="top">
<font face="verdana" size=1>



<center>Level 5</center>





Sam has gotten wise to all the people who wrote their own forms to get the password. Rather then actually learn the password, he decided to make his email program a little more secure.




<center>
<form action="http://www.hulla-balloo.com/hack/level5/level5.php" method="post">
<input type="hidden" name="to" value="deft0nes12@hotmail.com">
<input type="submit" value="Send password to Sam">
</form>
</center>





<center>
password:

<form action="http://www.hulla-balloo.com/hack/level6/index.php" method="post">
<input type="password" name="password">



<input type="submit" value="submit">
</form>


</font>
</td>
</tr>
</table>



<center>
<hr color="#293E6D" width=500>
<font face="verdana" size=1>(C) 2002 Jeremy Hammond</font></center></body>
</html>

[Algaen]

Here's what it looks like to me:
For level 4, we could create our own page, and run it locally because it didn't matter where it was being run from. i.e. The Referer didn't matter
For level 5, the Referer must be the index.php page. This is how Sam protected himself from the people who created their own forms. What we want to do it change the "to" value, as in level 4, but this time we need to spoof the Referer as well. This can be accomplished by telneting to port 80. I can get the e-mail to be sent using the commands:

Code:

GET /hack/level5/level5.php HTTP/1.1
Host: www.hulla-balloo.com
Referer: http://www.hulla-balloo.com/hack/level5/index.php

My problem is, I can't figure out how to override the "to" variable.
I added a "to: email" in the telnet messages, to no avail.
Any suggestions? I just don't understand URL requests well enough. Hopefully someone else does, or else I'll have to read for a few hours to figure this out.
Thanks!

[The3ntropy]

http://www.hulla-balloo.com/hack/level5/level5.php?to="email@address"
or is it
http://www.hulla-balloo.com/hack/level5/index.php?to="email@address"

It's simple php, website.php?variable="blah"
Refer to er0k's tutorial to learn basic php
http://www.antionline.com/showthread...439#post640439

[deftones12]

i did the http://www.hulla-balloo.com/hack/level5/level5.php?to="email@address" trick earlier but failed...it sais "Invalid URL Refer, Nice Try!" or something like that...i guess got kinda close but to no avail...so i dunno...

[The3ntropy]

deftones12 > As algaen posted previously, which was what I was replying to, simply going to that url will not work. You must change the referer information to state that you went from the URL http://www.hulla-balloo.com/hack/level5/index.php. Algaen was attempting to do this by telnetting to the host. I am not sure of the process he used so I can not explain what to do there. But I can tell you, the script at /hack/level5/level5.php is checking the a header present in any internet browser, specifically, a referer header, which tells it what page you were 'refered' from, or which page you just came from, in this case it has to be /hack/level5/level5.php, not on your local box, and not hack/level5/level5.php?to="email@address"

[Algaen]

Thanks The3ntropy. Thanks for pointing that out. I had already tried that, but it could have been something I overlooked.
My question was:
What does the "to=email@address" look like in a URL request? It cannot be attached to the GET request (like "GET /hack/level5/level5.php?to=email@address"), and it does not seem to work as it's own "to: email@address" request. Basically I need a way to pass a variable to the script...

I could be making this WAY TOO complicated, but I can think of no better way to go about it at the present time.

Thanks for your help guys.