LOST-Chall

.

S5EX#Access Denied

All about the extra challenges

S5EX#Access Denied

Postby Z » Fri Jun 20, 2008 7:44 am

Im at the part where i know every information about the admin, except where to login. Any tiny hints? :roll:

GreetZ
User avatar
Z
Grounded newbie
 
Posts: 5
Joined: Thu Jan 01, 1970 12:00 am

Postby sabretooth » Fri Jun 20, 2008 8:34 am

The admin page is disabled in some way.

Enable it ;)

I know this sounds obvious but if I say any more it will give the challenge away.

PM me if you want anything more specific :)

sabretooth
User avatar
sabretooth
Inactive Admin
Inactive Admin
 
Posts: 181
Joined: Thu Jan 01, 1970 12:00 am
Location: England

EX#Acces Denied

Postby Z » Fri Jun 20, 2008 12:00 pm

Hmm, I already tried that, but that helped me a lot :)

Thx
User avatar
Z
Grounded newbie
 
Posts: 5
Joined: Thu Jan 01, 1970 12:00 am

Postby sabretooth » Fri Jun 20, 2008 1:51 pm

Like I say, if you need any more, PM me ;)

sabre
User avatar
sabretooth
Inactive Admin
Inactive Admin
 
Posts: 181
Joined: Thu Jan 01, 1970 12:00 am
Location: England

Postby Z » Fri Jun 20, 2008 8:29 pm

Great chall, sabre :)
Thanx for it, and I hope there will be more EXploit challs :wink:
GreetZ
User avatar
Z
Grounded newbie
 
Posts: 5
Joined: Thu Jan 01, 1970 12:00 am

Postby sabretooth » Sat Jun 21, 2008 9:28 am

glad you liked it.

grats :)


S
User avatar
sabretooth
Inactive Admin
Inactive Admin
 
Posts: 181
Joined: Thu Jan 01, 1970 12:00 am
Location: England

Postby Phobo » Sat Jul 19, 2008 12:09 pm

Like the others said: great chall :D
User avatar
Phobo
Challenge Creator
Challenge Creator
 
Posts: 7
Joined: Thu Jan 01, 1970 12:00 am
Location: Poland

Postby sabretooth » Sat Jul 19, 2008 1:14 pm

Thanks once again :)

sabre
User avatar
sabretooth
Inactive Admin
Inactive Admin
 
Posts: 181
Joined: Thu Jan 01, 1970 12:00 am
Location: England

Postby skraeling » Sun Sep 07, 2008 2:04 pm

Warning: possible spoilers ahead (though I have tried to reduce them as far as I can)!

Something strange is going on. I'm at the user login page. When I use Firefox, I have no problems with logging in (I know a username and a password that lead me to the "you forgot to bypass an additional security" page). When I send the same data by a POST request from Java (which uses the org.apache.commons.httpclient libraries for POST requests), I get "Access denied!". I have checked twice that all three POST parameters are the same (and in the same order); the referrer, useragent etc. seem to be irrelevant (checked with TamperData). What is happening? How can the server find out whether I'm using a Java client or a browser? Is this part of the challenge?

By the way, great challenge so far - but I have no idea how to come up with the very first step without having seen it before...

skr.
skraeling
Challenge Creator
Challenge Creator
 
Posts: 7
Joined: Thu Jan 01, 1970 12:00 am

Postby Bregi » Sun Sep 07, 2008 3:49 pm

skraeling wrote:Warning: possible spoilers ahead (though I have tried to reduce them as far as I can)!

Something strange is going on. I'm at the user login page. When I use Firefox, I have no problems with logging in (I know a username and a password that lead me to the "you forgot to bypass an additional security" page). When I send the same data by a POST request from Java (which uses the org.apache.commons.httpclient libraries for POST requests), I get "Access denied!". I have checked twice that all three POST parameters are the same (and in the same order); the referrer, useragent etc. seem to be irrelevant (checked with TamperData). What is happening? How can the server find out whether I'm using a Java client or a browser? Is this part of the challenge?

By the way, great challenge so far - but I have no idea how to come up with the very first step without having seen it before...

skr.


Hmm that's really weird, but no, that's not part of the challenge.

Tell us if you need a hint on what to do next.

Bregi
”It only ends once, everything else is just progress.”
Image
User avatar
Bregi
Site Admin
Site Admin
 
Posts: 319
Joined: Wed Jan 04, 2006 7:58 am
Location: Switzerland

Postby sabretooth » Sun Sep 07, 2008 5:53 pm

sure you're sending it to the user login and not the admin login? ;)

sabre
[img:3ssbgvot]http://lost-chall.org/pics/sabrelogo.jpg[/img:3ssbgvot]


My challenge site: http://revolutionelite.co.uk
Join the revolution!
User avatar
sabretooth
Inactive Admin
Inactive Admin
 
Posts: 181
Joined: Thu Jan 01, 1970 12:00 am
Location: England

Postby skraeling » Sun Sep 07, 2008 6:10 pm

user. Of course I tried admin too, but that doesn't do anything (not even Access Denied).

Now I don't even understand what TamperData is doing. If I enter the correct username and password and press Submit, it leads me to the "you forgot to bypass the added security" site. However, if I press Ctrl+F5 while TamperData is on, and edit exactly the same POST data into my request, it does *nothing* (not even Access Denied). This is idiot because, with the Java code not working, TamperData is probably my only way to mess with the adminlogin.

skr.
Last edited by skraeling on Sun Sep 07, 2008 6:14 pm, edited 1 time in total.
skraeling
Challenge Creator
Challenge Creator
 
Posts: 7
Joined: Thu Jan 01, 1970 12:00 am

Postby sabretooth » Sun Sep 07, 2008 6:12 pm

oh there are many more ways ;)
[img:3ssbgvot]http://lost-chall.org/pics/sabrelogo.jpg[/img:3ssbgvot]


My challenge site: http://revolutionelite.co.uk
Join the revolution!
User avatar
sabretooth
Inactive Admin
Inactive Admin
 
Posts: 181
Joined: Thu Jan 01, 1970 12:00 am
Location: England

Postby skraeling » Sun Sep 07, 2008 6:16 pm

Forgot to add that my Java code is capable of sending POST requests to other challenges at lost-chall (I've used it to solve some of the challenges). I'd like to know, if this is not too much, whether the challenge can be solved without forging POST requests.

skr.
skraeling
Challenge Creator
Challenge Creator
 
Posts: 7
Joined: Thu Jan 01, 1970 12:00 am

Postby sabretooth » Sun Sep 07, 2008 6:31 pm

nothing that can't be done by editing the html and sending from localhost :)

sabre
[img:3ssbgvot]http://lost-chall.org/pics/sabrelogo.jpg[/img:3ssbgvot]


My challenge site: http://revolutionelite.co.uk
Join the revolution!
User avatar
sabretooth
Inactive Admin
Inactive Admin
 
Posts: 181
Joined: Thu Jan 01, 1970 12:00 am
Location: England

Next

Return to Extra Challenges

Who is online

Users browsing this forum: No registered users and 9 guests

cron