Thread subject: Security Override :: Programming 10

Posted by fox64 on 01/04/2011 11:24:19
#1

I'm a little confused and skeptical that this challenge is actually working.

From what I understand, the moo directory is:
http://securityoverride.com/challenges/programming/10/moo/
This page says that this dir contains dir's 1-100. This page is plaintext.
When navigating to one of the pages:
http://securityoverride.com/challenges/programming/10/moo/1/
It says fail. What I'm getting from this challenge is that 3 of these pages will give the 3 keys instead of saying fail.
When i run my script over all the pages, 1-100, they all contain Fail.
Am I missing something?

Posted by ne011 on 01/04/2011 11:35:37
#2

fox64 wrote:
I'm a little confused and skeptical that this challenge is actually working.

From what I understand, the moo directory is:
http://securityoverride.com/challenges/programming/10/moo/
This page says that this dir contains dir's 1-100. This page is plaintext.
When navigating to one of the pages:
http://securityoverride.com/challenges/programming/10/moo/1/
It says fail. What I'm getting from this challenge is that 3 of these pages will give the 3 keys instead of saying fail.
When i run my script over all the pages, 1-100, they all contain Fail.
Am I missing something?


I think you are missing sessions :)

- - - - - - - - - - - - - - - - - - - - - -

Posted by tiiger1111 on 01/04/2011 11:36:47
#3

Maybe you're missing cookies..

Edit : lol ne011, 1 minute between our replies :)

Edited by tiiger1111 on 01/04/2011 11:39:30

Posted by Null Set on 01/04/2011 11:43:42
#4

Well, these two have answered your question. Remember that the folder where the texts are in varies for each session so it is important that the script you use also contains the session that you currently have. :)

Posted by libertad on 06/01/2011 02:22:01
#5

Hello,

First of all congrats for this website and the challenges, I'm a french user and appreciate it a lot.

I have a question about this challenge :

Is the first goal, to write a script to find the moo directory ? (do the script have to scan all URL's of the website to find the moo directory? or just scan all subfolders of this directory :http://securityoverride.com/challenges/programming/10/moo/)

thank you !

Posted by ne011 on 06/01/2011 05:15:09
#6

libertad wrote:
I have a question about this challenge :

Is the first goal, to write a script to find the moo directory ? (do the script have to scan all URL's of the website to find the moo directory? or just scan all subfolders of this directory :http://securityoverride.com/challenges/programming/10/moo/)


write a script ,that will scan the sub folders of this moo dir ,which contains 1-100 folders.

- - - - - - - - - - - - - - - - -

Posted by libertad on 06/01/2011 05:31:08
#7

ok thanks !

Posted by banyrock on 06/16/2011 12:20:29
#8

it always displays fail.......


check it plz

Posted by Qwexotic on 06/16/2011 12:49:18
#9

banyrock wrote:
it always displays fail.......


check it plz


The challenge works. The problem you're encountering is that your program is not "logged in" as you. Read the posts above (again?).

Posted by banyrock on 06/21/2011 14:29:30
#10

not working, i tried to check them manually, so i logged in to the site, then entering the challenge......


same thing........... :(

Edited by banyrock on 06/21/2011 14:30:16

Posted by madf0x on 06/21/2011 17:07:50
#11

banyrock wrote:
not working, i tried to check them manually, so i logged in to the site, then entering the challenge......


same thing........... :(


Then you are simply doing it wrong :P

Posted by miaouPlop on 10/24/2011 18:29:49
#12

ne011 wrote:
fox64 wrote:
I'm a little confused and skeptical that this challenge is actually working.

From what I understand, the moo directory is:
http://securityoverride.com/challenges/programming/10/moo/
This page says that this dir contains dir's 1-100. This page is plaintext.
When navigating to one of the pages:
http://securityoverride.com/challenges/programming/10/moo/1/
It says fail. What I'm getting from this challenge is that 3 of these pages will give the 3 keys instead of saying fail.
When i run my script over all the pages, 1-100, they all contain Fail.
Am I missing something?


I think you are missing sessions :)

- - - - - - - - - - - - - - - - - - - - - -


I think I'm doing the same thing but I really don't understand why!
I fix my session using cURL in PHP. I run the same script since the begining of the computer challenges and it always worked but here, it's not doing it!
I ask for session, I get it. I ask for the ashes, I get them. Then try to open all moo/x forlders with this very same session using two ways: cookies and PHPSESSID in url parameters. But whatever I try, I still get "fail". Is the session problem coming from the use of a subdiretcory?
If the aim of this challenge is the understanding of session management then, I'll try to figure this out alone but, if not, please, help me! xD

Sorry for the inconvenience and for asking what is possibly obvious! But thank you for the futur help!

Posted by auditorsec on 10/25/2011 04:05:19
#13

miaouPlop wrote:
ne011 wrote:
fox64 wrote:
I'm a little confused and skeptical that this challenge is actually working.

From what I understand, the moo directory is:
http://securityoverride.com/challenges/programming/10/moo/
This page says that this dir contains dir's 1-100. This page is plaintext.
When navigating to one of the pages:
http://securityoverride.com/challenges/programming/10/moo/1/
It says fail. What I'm getting from this challenge is that 3 of these pages will give the 3 keys instead of saying fail.
When i run my script over all the pages, 1-100, they all contain Fail.
Am I missing something?


I think you are missing sessions :)

- - - - - - - - - - - - - - - - - - - - - -


I think I'm doing the same thing but I really don't understand why!
I fix my session using cURL in PHP. I run the same script since the begining of the computer challenges and it always worked but here, it's not doing it!
I ask for session, I get it. I ask for the ashes, I get them. Then try to open all moo/x forlders with this very same session using two ways: cookies and PHPSESSID in url parameters. But whatever I try, I still get "fail". Is the session problem coming from the use of a subdiretcory?
If the aim of this challenge is the understanding of session management then, I'll try to figure this out alone but, if not, please, help me! xD

Sorry for the inconvenience and for asking what is possibly obvious! But thank you for the futur help!

apart from session mgmt, you need to take care of timer,your loop should be fast enough.

Posted by miaouPlop on 10/25/2011 07:48:29
#14

auditorsec wrote:
apart from session mgmt, you need to take care of timer,your loop should be fast enough.


Thx for the reply!

My script is fast enough. At the end I generally still have 60 seconds to go before the end of the chall.

Can I PM you my script?

Posted by auditorsec on 10/25/2011 09:59:33
#15

miaouPlop wrote:
auditorsec wrote:
apart from session mgmt, you need to take care of timer,your loop should be fast enough.


Thx for the reply!

My script is fast enough. At the end I generally still have 60 seconds to go before the end of the chall.

Can I PM you my script?

yes , sure u can

Posted by Abhinav2107 on 01/18/2012 02:39:07
#16

I just completed this mission. One thing which I didn't like was that there were only the required three passwords in the sub directories. That way I didn't even have to bother looking at what passwords I had to find. I think there should be some random other passwords too so that one has to actually check for the correct password. I know even this won't pose a hurdle but still it'll at least be a little something extra. I mean just a simple for loop for Programming "10" doesn't feel challenging.

Posted by thu062012 on 01/19/2012 01:43:51
#17

Hi

You can find this info by using search box in the top of website with some keywords related before posting questions.

Posted by Abhinav2107 on 01/19/2012 03:54:33
#18

thu062012 wrote:
Hi

You can find this info by using search box in the top of website with some keywords related before posting questions.


Huh?

Posted by EAN_Lord on 04/13/2013 19:23:05
#19

Any tips on how to do that session thing? i just cant figure out how to send it with the url.

Posted by Teddy on 04/14/2013 04:55:18
#20

You do not send it within the URL you need to send your session in the HTTP cookie field of you request. I do not know with what language your are doing that. But if you use a library for sending HTTP request there is most likely a function which helps you to set the cookie. Just copy your session (e.g. with tamper) and make the request with that as cookie field.

Posted by thefinder on 06/29/2013 20:11:30
#21

Hi, what is the format I have to send?
like that:
1:e92nb0s4; 50:un2r9nw7; 100:48bn20b6
or like that:
1 50 100
Or an other one?

Thanks.

Posted by Abhinav2107 on 06/29/2013 23:34:31
#22

Like this:
1:e92nb0s4; 50:un2r9nw7; 100:48bn20b6
as illustrated in the example.

Posted by Froxx on 10/30/2013 11:00:22
#23

Maybe I just don't search for the right things, but I can't find any useful guides how to pass the session in Java. Could you guys help me here?

Posted by ArkPhaze on 12/01/2013 19:48:34
#24

edit:
Froxx wrote:
Maybe I just don't search for the right things, but I can't find any useful guides how to pass the session in Java. Could you guys help me here?


You have to recreate the cookies that can be seen when you search for them via your web browser. Look for most importantly the cookie named PHPSESSID. There are others. It is very simple though.

I'm not a Java programmer in specific though so I couldn't tell you what methods and/or wrappers are available for web programming in that regard.

----------------------------------------------------
Hmm, I wrote a program that logs in with a new session, just to see if I could get anything with an active session, and I get some values, but not all? I would've expected it to be an all or nothing deal, but the oddities here just confuse me now as to how it works on the back-end:

Code
1:fail
2:fail
3:fail
4:fail
5:fail
6:fail
7:fail
8:fail
9:fail
10:fail
11:fail
12:fail
13:fail
14:fail
15:56b175f2
16:fail
17:fail
18:fail
19:fail
20:fail
21:fail
22:fail
23:fail
24:fail
25:fail
26:fail
27:fail
28:fail
29:fail
30:fail
31:fail
32:fail
33:fail
34:fail
35:fail
36:fail
37:fail
38:fail
39:fail
40:fail
41:fail
42:fail
43:fail
44:fail
45:fail
46:fail
47:fail
48:fail
49:fail
50:fail
51:fail
52:fail
53:3b1cbcae
54:fail
55:fail
56:fail
57:fail
58:fail
59:fail
60:fail
61:fail
62:fail
63:fail
64:fail
65:fail
66:fail
67:fail
68:fail
69:fail
70:fail
71:fail
72:fail
73:fail
74:fail
75:fail
76:fail
77:fail
78:fail
79:fail
80:fail
81:fail
82:fail
83:fail
84:fail
85:fail
86:fail
87:fail
88:fail
89:fail
90:fail
91:fail
92:fail
93:fail
94:fail
95:fail
96:4374b9dc
97:fail
98:fail
99:fail
100:fail





I figured I could view my session and bind that with my program once I got something working, this way I wouldn't have to wait for the httprequest's to finish, as long as my session didn't change from the time I cloned it and ran the program, as all of the directory passwords should be the same, thus enabling me to query directly from my filesystem.

Keep note that the above output was retrieved all with the same session via my compiled program. :S

Tried spoofing my current browsing session by adding the cookies manually. PHPSESSID, etc... It was all correct because I had bypassed my login method and requested that the challenge description be returned, and I could retrieve that text without error. (I know you have to be logged in to view it.) However, I still get a bunch of "fail" responses.

I know my manual login method works as well because I can see the description and the redirect to "http://securityoverride.org/setuser.php?user=ArkPhaze".

Anybody care to shed some light on this a bit more? Maybe I'm tired... The cookies I have formed; PHPSESSID, fusion_visited, fusion_user, fusion_lastvisit.

I'm starting to think that this "fail" message is not because I'm "not logged in", because I am able to successfully create my own login session, and spoof my existing firefox one through my program. Yet there remains to be seen a time where I can view all 100 directory contents without receiving a "fail" message. :S Even through my web browser I can't see any passcodes where I am visibly logged in.

Edited by ArkPhaze on 12/01/2013 20:44:07