LOST-Chall http://lost-chall.wechall.net/forum/ |
|
S5EX#Access Denied http://lost-chall.wechall.net/forum/viewtopic.php?f=13&t=154 |
Page 1 of 2 Next » |
Author: | Z [ Fri Jun 20, 2008 7:44 am ] |
Post subject: | S5EX#Access Denied |
Im at the part where i know every information about the admin, except where to login. Any tiny hints? GreetZ |
Author: | sabretooth [ Fri Jun 20, 2008 8:34 am ] |
Post subject: | |
The admin page is disabled in some way. Enable it I know this sounds obvious but if I say any more it will give the challenge away. PM me if you want anything more specific sabretooth |
Author: | Z [ Fri Jun 20, 2008 12:00 pm ] |
Post subject: | EX#Acces Denied |
Hmm, I already tried that, but that helped me a lot Thx |
Author: | sabretooth [ Fri Jun 20, 2008 1:51 pm ] |
Post subject: | |
Like I say, if you need any more, PM me sabre |
Author: | Z [ Fri Jun 20, 2008 8:29 pm ] |
Post subject: | |
Great chall, sabre Thanx for it, and I hope there will be more EXploit challs GreetZ |
Author: | sabretooth [ Sat Jun 21, 2008 9:28 am ] |
Post subject: | |
glad you liked it. grats S |
Author: | Phobo [ Sat Jul 19, 2008 12:09 pm ] |
Post subject: | |
Like the others said: great chall |
Author: | sabretooth [ Sat Jul 19, 2008 1:14 pm ] |
Post subject: | |
Thanks once again sabre |
Author: | skraeling [ Sun Sep 07, 2008 2:04 pm ] |
Post subject: | |
Warning: possible spoilers ahead (though I have tried to reduce them as far as I can)! Something strange is going on. I'm at the user login page. When I use Firefox, I have no problems with logging in (I know a username and a password that lead me to the "you forgot to bypass an additional security" page). When I send the same data by a POST request from Java (which uses the org.apache.commons.httpclient libraries for POST requests), I get "Access denied!". I have checked twice that all three POST parameters are the same (and in the same order); the referrer, useragent etc. seem to be irrelevant (checked with TamperData). What is happening? How can the server find out whether I'm using a Java client or a browser? Is this part of the challenge? By the way, great challenge so far - but I have no idea how to come up with the very first step without having seen it before... skr. |
Author: | Bregi [ Sun Sep 07, 2008 3:49 pm ] |
Post subject: | |
Hmm that's really weird, but no, that's not part of the challenge. Tell us if you need a hint on what to do next. Bregi |
Author: | sabretooth [ Sun Sep 07, 2008 5:53 pm ] |
Post subject: | |
sure you're sending it to the user login and not the admin login? sabre |
Author: | skraeling [ Sun Sep 07, 2008 6:10 pm ] |
Post subject: | |
user. Of course I tried admin too, but that doesn't do anything (not even Access Denied). Now I don't even understand what TamperData is doing. If I enter the correct username and password and press Submit, it leads me to the "you forgot to bypass the added security" site. However, if I press Ctrl+F5 while TamperData is on, and edit exactly the same POST data into my request, it does *nothing* (not even Access Denied). This is idiot because, with the Java code not working, TamperData is probably my only way to mess with the adminlogin. skr. |
Author: | sabretooth [ Sun Sep 07, 2008 6:12 pm ] |
Post subject: | |
oh there are many more ways |
Author: | skraeling [ Sun Sep 07, 2008 6:16 pm ] |
Post subject: | |
Forgot to add that my Java code is capable of sending POST requests to other challenges at lost-chall (I've used it to solve some of the challenges). I'd like to know, if this is not too much, whether the challenge can be solved without forging POST requests. skr. |
Author: | sabretooth [ Sun Sep 07, 2008 6:31 pm ] |
Post subject: | |
nothing that can't be done by editing the html and sending from localhost sabre |
Page 1 of 2 | All times are UTC |
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/ |