Hints for Real Level 7?

FOSS login

Ajax1234
8 years ago

0

I am attempting this level and I have determined that I have replace “memtash”’s email with my email, and I believe that I need to use the POST method. I have tried this but have failed. Does anyone have any suggestions as to how to solve this level? Thank you.

37replies
15voices
678views
1image
bigheks
8 years ago

0

I solved it by cloning the github repo and running it locally. It also helps when you have experience auditing php code.

Time Void [Chronon]
8 years ago

0

There’s some auditing programs out there. So you didnt have to do it manually

dloser
8 years ago

0

Where’s the fun in that?

Time Void [Chronon]
8 years ago

0

Just suggestin'….

tl0tr
8 years ago

0

To complete this level do we need to have a good knowledge of Git Hub ??

bigheks
8 years ago

0

GitHub is just a place where the example code is.

Time Void [Chronon]
8 years ago

0

We have to know about database ?


0

It will help solving, if you know what is going on in the background!

Time Void [Chronon]
8 years ago | edited 8 years ago

0

The vuln is somewhere else…..

Is it possible to do this level on mobile phone ???


0

That would depend on the mobile phone

Time Void [Chronon]
8 years ago | edited 8 years ago

0

@RichardBrook I have LG Magna, Asus Zenfone, and Samsung Grand
Cannot acces web console here but i think its something to do with the database ????

I cant touch my computer for 2 weeks :(


0

Playing with the database helps, but if you know php well enough to understand only by reading, then I guess it would be very possible.

Time Void [Chronon]
8 years ago

1

@RichardBrook it has something to do with

the db_blablabla[/spoiler]
Or….
<!- something with “uid”

Or….
[Spoiler]something with the “ authorization” -!>

Richard Brook [RichardBrook]
8 years ago | edited 8 years ago

0

Well.. that’s up to you to find out, and the reason it is called a challenge ;)

f0rk [HackingGuy]
8 years ago

0

@RichardBrook , what do you mean mobile phone?
I think you are suggesting a smartphone, maybe? lol xD


0

It might be hard to do the level on this one.

Image

Time Void [Chronon]
8 years ago

0

Lol @RichardBrook i mean smart phone lol


0

Ouch, don’t be so harsh on it!

Time Void [Chronon]
8 years ago

0

I think i know where to go, but i dont know how…

Mugi [Mugiwara27]
8 years ago

0

Chronon don’t ask too much, there is no fun in doing a challenge if there is no challenge but a walkthrought, right ? :p

Time Void [Chronon]
8 years ago

0

Sorry just diggin as much as i can…..

x2600
8 years ago

0

I am working on recreating the level, personally.

b1nary
8 years ago

0

it has something to do with

a login page lol

Time Void [Chronon]
8 years ago

0

I know we have to make the our own version of the level….
But i want to know how to complete this on smartphone.
Still looking…..

tl0tr
8 years ago | edited 8 years ago

0

I am no good with PHP…

So are we suppose to make it send us an email or its not really required ??

? [bolofecal]
8 years ago

0

Reading the code I think the only way to receive a email is if you put your email in database, but I don’t know if this is the purpose of level.

Time Void [Chronon]
8 years ago | edited 8 years ago

0

I think we have to make our own version, and make it redirect to the “level completed” link after we put the “memtash”
???????
Just sayin'

But if you take a look at the php, you will see that we will need a database

? [bolofecal]
8 years ago

0

And why HackThis!! will know that the level is completed?

Time Void [Chronon]
8 years ago

0

no i mean we use our own version as a sandbox.
maybe ????

? [bolofecal]
8 years ago

0

This is a good idea to know what happens in server.

SIGKILL [r4v463]
8 years ago

0

Yes, creating our own version of the level is just to see what happens behind, then you have to reproduce it here.

Time Void [Chronon]
8 years ago

0

Yes i know it, thats what i mean all along

TH3 Cr3aToR [L3gand]
8 years ago

0

I got the answer from @Chronon , it’s a 4 letter hacking method and i have less knowledge to that hack . There is exact same tutorial on the web to complete this level but you have to find it.

bigheks
8 years ago | edited 8 years ago

11

As mentioned before; running it locally is just a method to debug more easily:

[list=1]
[] You can insert ‘var_dumps()’ and ‘echo’ throughout the code
[
] You can see server logs for errors
[*] You can modify the code to be more verbose
[/list]

This does not SOLVE the challenge for you, it just makes it EASIER to find out what is going on with the code.

I repeat, running it locally is not needed to solve this challenge, but if you can’t read/audit PHP code it might be handy.

To get the github repository to work:

Follow/install this to install mysql/php/apache.

After that is done, open terminal:
apt-get install git cd /var/www git clone https://github.com/HackThis/real7-login.git cd real7-login nano class.user.php

Now edit the ‘__construct()’ function so it looks like this:

        public function __construct() {  
            $this->db_name = "real7";  
            $this->db_host = "localhost";  
            $this->db_user = "root";  
            $this->db_pass = "your_root_password_here";  

            $this->db = new PDO("mysql:host=$this->db_host;dbname=$this->db_name", $this->db_user, $this->db_pass);  
            $this->db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);  

Save the file, go to a terminal:

mysql -u root -p  
[... type in password ...]  

create database real7;  

use real7;  

CREATE TABLE users( uid INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY, username VARCHAR(30) NOT NULL, password VARCHAR(30) NOT NULL, email VARCHAR(50), reset VARCHAR(150) );  

insert into users(username,password,email) values("admin","123","admin@example.com");  

select * from users;  

Now you can visit the site at http://localhost/real7-login/

After this the real challenge begins :-)

tehron
8 years ago

0

tl;dr ;P

cn9 [1337boy]
8 years ago

0

cmon guys the level is up only since a couple of days and you already want hints? :P

f0rk [HackingGuy]
8 years ago

0

Yes xD

Discussion thread has been locked. You can no longer add new posts.
1 of 38

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss