Ajax1234
8 years ago

0

I am attempting this level and I have determined that I have replace “memtash”’s email with my email, and I believe that I need to use the POST method. I have tried this but have failed. Does anyone have any suggestions as to how to solve this level? Thank you.

bigheks
8 years ago

0

I solved it by cloning the github repo and running it locally. It also helps when you have experience auditing php code.

Time Void [Chronon]
8 years ago

0

There’s some auditing programs out there. So you didnt have to do it manually

##;6986 VPDSICV

dloser
8 years ago

0

Where’s the fun in that?

Time Void [Chronon]
8 years ago

0

Just suggestin'….

##;6986 VPDSICV

tl0tr
8 years ago

0

To complete this level do we need to have a good knowledge of Git Hub ??

bigheks
8 years ago

0

GitHub is just a place where the example code is.

Time Void [Chronon]
8 years ago

0

We have to know about database ?

##;6986 VPDSICV

Richard Brook [RichardBrook]
8 years ago

0

It will help solving, if you know what is going on in the background!

A beginner practices until he gets it right, a professional practices until he can’t get it wrong!

Time Void [Chronon]
8 years ago | edited 8 years ago

0

The vuln is somewhere else…..

Is it possible to do this level on mobile phone ???

##;6986 VPDSICV

Richard Brook [RichardBrook]
8 years ago

0

That would depend on the mobile phone

A beginner practices until he gets it right, a professional practices until he can’t get it wrong!

Time Void [Chronon]
8 years ago | edited 8 years ago

0

@RichardBrook I have LG Magna, Asus Zenfone, and Samsung Grand
Cannot acces web console here but i think its something to do with the database ????

I cant touch my computer for 2 weeks :(

##;6986 VPDSICV

Richard Brook [RichardBrook]
8 years ago

0

Playing with the database helps, but if you know php well enough to understand only by reading, then I guess it would be very possible.

A beginner practices until he gets it right, a professional practices until he can’t get it wrong!

Time Void [Chronon]
8 years ago

1

@RichardBrook it has something to do with

the db_blablabla[/spoiler]
Or….
<!- something with “uid”

Or….
[Spoiler]something with the “ authorization” -!>

##;6986 VPDSICV

Richard Brook [RichardBrook]
8 years ago | edited 8 years ago

0

Well.. that’s up to you to find out, and the reason it is called a challenge ;)

A beginner practices until he gets it right, a professional practices until he can’t get it wrong!

f0rk [HackingGuy]
8 years ago

0

@RichardBrook , what do you mean mobile phone?
I think you are suggesting a smartphone, maybe? lol xD

There’s no place like 127.0.0.1

Richard Brook [RichardBrook]
8 years ago

0

It might be hard to do the level on this one.

A beginner practices until he gets it right, a professional practices until he can’t get it wrong!

Time Void [Chronon]
8 years ago

0

Lol @RichardBrook i mean smart phone lol

##;6986 VPDSICV

Richard Brook [RichardBrook]
8 years ago

0

Ouch, don’t be so harsh on it!

A beginner practices until he gets it right, a professional practices until he can’t get it wrong!

Time Void [Chronon]
8 years ago

0

I think i know where to go, but i dont know how…

##;6986 VPDSICV

Mugi [Mugiwara27]
8 years ago

0

Chronon don’t ask too much, there is no fun in doing a challenge if there is no challenge but a walkthrought, right ? :p

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’‘ at line 1

Time Void [Chronon]
8 years ago

0

Sorry just diggin as much as i can…..

##;6986 VPDSICV

x2600
8 years ago

0

I am working on recreating the level, personally.

##SUPER PHREAKeH[/center] ## ;) ;) ;) [center]###SO PHREAKeH IT HERTZ

b1nary
8 years ago

0

it has something to do with

a login page lol

Time Void [Chronon]
8 years ago

0

I know we have to make the our own version of the level….
But i want to know how to complete this on smartphone.
Still looking…..

##;6986 VPDSICV

tl0tr
8 years ago | edited 8 years ago

0

I am no good with PHP…

So are we suppose to make it send us an email or its not really required ??

? [bolofecal]
8 years ago

0

Reading the code I think the only way to receive a email is if you put your email in database, but I don’t know if this is the purpose of level.

?

Time Void [Chronon]
8 years ago | edited 8 years ago

0

I think we have to make our own version, and make it redirect to the “level completed” link after we put the “memtash”
???????
Just sayin'

But if you take a look at the php, you will see that we will need a database

##;6986 VPDSICV

? [bolofecal]
8 years ago

0

And why HackThis!! will know that the level is completed?

?

Time Void [Chronon]
8 years ago

0

no i mean we use our own version as a sandbox.
maybe ????

##;6986 VPDSICV

? [bolofecal]
8 years ago

0

This is a good idea to know what happens in server.

?

SIGKILL [r4v463]
8 years ago

0

Yes, creating our own version of the level is just to see what happens behind, then you have to reproduce it here.

Time Void [Chronon]
8 years ago

0

Yes i know it, thats what i mean all along

##;6986 VPDSICV

TH3 Cr3aToR [L3gand]
8 years ago

0

I got the answer from @Chronon , it’s a 4 letter hacking method and i have less knowledge to that hack . There is exact same tutorial on the web to complete this level but you have to find it.

bigheks
8 years ago | edited 8 years ago

11

As mentioned before; running it locally is just a method to debug more easily:

[list=1]
[] You can insert ‘var_dumps()’ and ‘echo’ throughout the code
[] You can see server logs for errors
[*] You can modify the code to be more verbose
[/list]

This does not SOLVE the challenge for you, it just makes it EASIER to find out what is going on with the code.

I repeat, running it locally is not needed to solve this challenge, but if you can’t read/audit PHP code it might be handy.

To get the github repository to work:

Follow/install this to install mysql/php/apache.

After that is done, open terminal:
apt-get install git cd /var/www git clone https://github.com/HackThis/real7-login.git cd real7-login nano class.user.php

Now edit the ‘__construct()’ function so it looks like this:

        public function __construct() {  
            $this->db_name = "real7";  
            $this->db_host = "localhost";  
            $this->db_user = "root";  
            $this->db_pass = "your_root_password_here";  

            $this->db = new PDO("mysql:host=$this->db_host;dbname=$this->db_name", $this->db_user, $this->db_pass);  
            $this->db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_OBJ);

Save the file, go to a terminal:

mysql -u root -p  
[... type in password ...]  

create database real7;  

use real7;  

CREATE TABLE users( uid INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY, username VARCHAR(30) NOT NULL, password VARCHAR(30) NOT NULL, email VARCHAR(50), reset VARCHAR(150) );  

insert into users(username,password,email) values("admin","123","admin@example.com");  

select * from users;

Now you can visit the site at http://localhost/real7-login/

After this the real challenge begins :-)

tehron
8 years ago

0

tl;dr ;P

cn9 [1337boy]
8 years ago

0

cmon guys the level is up only since a couple of days and you already want hints? :P

WaRWolFz crew

f0rk [HackingGuy]
8 years ago

0

Yes xD

There’s no place like 127.0.0.1

Hints for Real Level 7?

FOSS login

0

0

0

0

0

0

0

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

0

0

0

?

0

0

?

0

0

?

0

0

0

11

0

0

0