Realist

Sunday 11 October 2020, 14:55  #1
Realist - Web TV
jam
jam
  • 99 posts

Hi,

I admire people, who are sitting and watching TV endless time without making any noise just giving up everything and loosing control. :)
By the way, i was really smart enough to give a chance to burp and made a couple tests. Well, first of all, like many of the people i tried to rewrite the url. As it was expected i got answers. That was not much enough. I tried to login and saw there are errors on the screen which were quite okay. The injection was either to weak or for now in impossible range. Maybe there is another way to look for other kind of injection. I do not know, but in my mind there is a way out there. The easiest way to get in is always the direct one. :)

For now see you later and keep calm,
thx for watching TV eagerly,
Without hesitating just fly,

Wednesday 14 October 2020, 16:14  #2
Realist - Web TV
jam
jam
  • 99 posts

Hi,

After several trying and scanning papers about a possible injection, i am breathing easy and must say, "it is not that much easy TV." Therefore the "hard" remark upon the page was guessable one. Web-TV is using the standard charset; because of that the function that claims to be somewhat when error is being fired up is not so useful.
How can i make a useful injection, when the quotes are still being escaped ?
The Far-East method will not work here. I do not think so.

When i use burp, i have seen when i input a password and add after that a special character, it behaves variable, i means it reacts on password length and the inside of it. Sometimes it gives "no such user" or throws an error.
Just puzzling about the code how it could be written for this reaction. We will see.
Old challenge, very old and deep one. :)

Thx for help
and yeah we can,
so long,

Wednesday 14 October 2020, 20:39  #3
Realist - Web TV
jam
jam
  • 99 posts

Hi,

well, i found a way to get in. Take care about your encodings.

The sad side is how to inject... to make the session logged in.

I am seriously working at that. I had to know that the challenges which i did previously, would be great help to get this one too.

Today i am sick and tired,
thx for not loosing your head,
greetings,

Thursday 15 October 2020, 20:56  #4
Realist - Web TV
jam
jam
  • 99 posts

Hi,

Well, i found a way to get SHA1 hash. Simply login for database somewhere else. I could not crack it within a short time and i do not think i should crack it. The direct way would be an injection on the page, i suppose so at least. I am working on that issue. It is a matter of minutes to get this challenge far way out my mind.

So long,

and kissy kissy,
:)

Thursday 15 October 2020, 21:48  #5
Realist - Web TV
jam
jam
  • 99 posts

Hi,

i just managed the challenge. I had to read the code more carefully. I got the flag...

oh my dear,
thankfully i bear,
without your love,
sun will not shine,

thx for this challenge, yeahhhh.....

New reply New reply   New topic New topic