7 replies to this topic

[ki4jgt]

I'm currently enjoying myself, learning Ethical Hacking :-) and at the moment, I'm learning from HTS.org. I haven't asked for help yet and I don't know if I'll be back to read the replies to this or not. I like the challenge. But WOFD

So I'm on HTS and I got through Basic level 4 OK (Had to substitute the admin's email for my own and have the form send the password to me.) Please NO ANSWERS. I'm trying to get the password for level 5, but he supposedly made it harder. So my question is how do I examine the PHP file. Or is PHP something you can see?

Hack This Site!

I thought about substituting my own PHP file, but if I don't know what I'm going to be mimicing, then I don't know how to write the file :-( Here is a copy of the form.

<center><b>Level 5</b></center><br /><br />Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.<br /><br /><center> 

						 <form action="/missions/basic/5/level5.php" method="post"><input type="hidden" name="to" value="webmaster@hulla-balloo.com" /> 

						 <input type="submit" value="Send password to Sam" /></form></center><br /><br /><center><b>Password:</b><br /> 

						 <form action="/missions/basic/5/index.php" method="post"><input type="password" name="password" /><br /><br /> 

						 <input type="submit" value="submit" /></form> 

Again, please NO ANSWERS I like a challenge. I just want to know if it's possible to view the PHP set in the action, or even to substitute my own for the form. I would ask this at the HTS forums, but they aren't letting me in for some reason. Every time I try to sign in, it asks me for my username (no field to fill in) local time and language, when I submit it, it says my username is invalid :c-mad:

[CommittedC0der]

You can view a PHP file by just typing it onto the end of the url. so to view your level5.php file you would type this url. http://www.hackthiss...ic/5/level5.php
Hope that helps ~ Committed.

[BlaineSch]

Edited upon request.

Edited by BlaineSch, 31 January 2011 - 10:14 PM.

[CommittedC0der]

@Baline....err

Quote

Again, please NO ANSWERS I like a challenge. I just want to know if it's possible to view the PHP set in the action, or even to substitute my own for the form.

Isnt that kinda giving out the answer to the problem?

[BlaineSch]

Hardly, he showed us that source code. If he knew how to change it he would have done it already. Just a nudge (shove? lol) in the right direction.

I probably did let out too much, and who knows, I could be wrong.

[zeroradius]

no your right, you should probably edit that before he gets back on or he may be upset.

[ki4jgt]

zeroradius said:

no your right, you should probably edit that before he gets back on or he may be upset.

It's not like I couldn't read the email :-( LOL. But I'm not Major Gripes A. Lot. I used to be good with this kind of stuff. I've written numerous computer programs, but one day the logic circuit in my brain just shot, and I was no good at solving this stuff any more :-( I think I got really tired of just programming all the time. The only thing I have to show for it is one lousy program (My hard drive crashed and I lost the source code to all my others) and a lousy poem I wrote three years ago (My school mysteriously lost all my portfolio pieces). Now I'lm reading up on networking AGAIN. I have hacked websites before, but that was way back when the security on most websites could be broken by five year olds today :-( O well, but that's why I'm trying to get back in the game.

[ki4jgt]

BlaineSch said:

Edited upon request.

I went ahead and read the email (For the push in the right direction) :-( That was the answer. LOL How was that a push in the right direction? (more like a don't bother, you're not smart enough to figure this out, so here let me tell you) Anyway, that was already done in lesson 4 (As stated above). It said Sam got wise to everyone creating their own forms and adding their emails to it, so he added more security. I've already tried adding my email to this one. It says it's invalid once the page loads. The only thing different from this form and form 4 is the action. So I assumed since the only part of the code which was different was the action, it must have something to do with it. I know it's directed at the .php page after the form submits, but I'm trying to isolate the difference. I did a bunch of HTML stuff in middle school, but it's been forever and a day ago. I graduated in 08 from HS.