hack-test

**r4nd0m1z** · May 8th, 2007, 11:46 PM

Originally Posted by Moira

r4nd0m1z: you're on the last level?

Hmmmm...I'm not so sure. The version of the game I've been playing, is on www.hackertest.net (not hack-test.com). On this version, beginning somewhere around level 10, it says there are 100 levels

**ttn628826** · May 9th, 2007, 02:23 AM

Originally Posted by r4nd0m1z

Hmmmm...I'm not so sure. The version of the game I've been playing, is on www.hackertest.net (not hack-test.com). On this version, beginning somewhere around level 10, it says there are 100 levels

i found that too!

when i was at level 10
there two pages .htm and .php

other page leads to a guestbook

at the admin.php
if you type in the same username and password
it will show a message
"the password file has been created"
but i don't know where is the passowrd file

speak in frank
i am more interest at that line
it seens like a hidden level

**realshady** · May 9th, 2007, 09:35 AM

Originally Posted by ttn628826

i found that too!

when i was at level 10
there two pages .htm and .php

other page leads to a guestbook

at the admin.php
if you type in the same username and password
it will show a message
"the password file has been created"
but i don't know where is the passowrd file

speak in frank
i am more interest at that line
it seens like a hidden level

uhm i don't think you need that file or even will find that file at all. more sounds like you need to find a hidden log in.

**ttn628826** · May 9th, 2007, 11:59 AM

Originally Posted by realshady

uhm i don't think you need that file or even will find that file at all. more sounds like you need to find a hidden log in.

a hidden log in?????

at which page

guestbook.php
or
admin.php

**realshady** · May 11th, 2007, 10:43 AM

Originally Posted by ttn628826

a hidden log in?????

at which page

guestbook.php
or
admin.php

lol if you read my answer you could know that i am not at that level. At the moment just waiting for a mail for level 20 but i don't get any so i can't help at the moment.

**AmienZero** · May 16th, 2007, 04:28 AM

anyone reached level 20 yet? i've reached level 20 (got the email from author), and decoded the given codes, got the link that points me to a guestbook. i guess i have to do something at this guestbook but looking at the source it says



i'm outta ideas right now.

**r4nd0m1z** · May 16th, 2007, 03:04 PM

Yes...If you do a search for "Sad Raven's Guestbook vulnerabilities", you'll find a number of them. Unfortunately, most of the sites are in Russian so it's a bit of a challenge...

The most obvious vulnerability is password disclosure (trying to get the passwd.dat file) but that doesn't work. I believe the guestbook has been broken, severely restricted, or not set up correctly.

Other stuff I've tried is crosssite scripting and PHP injection, but those don't work either. Next is trying to pass a cookie to the site, but that particular vulnerability didn't translate very well at all:

"if we establish to its machine correctly composed cookie, then it is possible to enter into the adminskiy interface"

Still trying...

Thread: hack-test

Thread Tools

Display

Hybrid View

Posting Permissions