Thread: "hacking" challenge

I hope Xenu isn't checking these pages sequentially, and is instead choosing a random order...and I hope even more that if they aren't, our ISPs aren't watching this. We're not doing anything wrong, but it'll still look suspicious.

Originally posted by blackrat364
I hope Xenu isn't checking these pages sequentially, and is instead choosing a random order...and I hope even more that if they aren't, our ISPs aren't watching this. We're not doing anything wrong, but it'll still look suspicious.

well i have generated the pages in a some what random order.. but still you can say that they are sequential.. Any way it is not illegal.. It is like a contest and the full permision has been given by the site owner...



ISP's if they have an hawk eye may suspect sometrhing... think about checking 1.5 million web pages in a day from a single connection ..


so any whats the progress.. which file are you processing now.. and any luck?????

I've run (to be updated as I progress):
50-62

I'm running
63

No results yet

ok this is how the distribution has taken place

Code:

XSquared                1.rar                          0-24
Sang-drax               2.rar,4.rar                 25-49,75-99 
blackrat364             3.rar                         50-74

got feedback from blackrat364 and Sang-drax

have two more files 5.rar and 6.rar each containing 25 files...

there has to be an easier way for 9

Hey guys...is this function in the java for #9 going to be a problem?

Code:

    public void run()
    {
        do
            try
            {
                do
                {
                    xxoooxo.getthread();
                    xxxooo.getthread();
                    Thread.sleep(50L);
                } while(!warefuc);
                if(warez$$$$er == 5)
                {
                    repaint();
                    warefuc = false;
                } else
                {
                    warez$$$$er = warez$$$$er + 1;
                }
            }
            catch(InterruptedException interruptedexception) { }
        while(true);
    }

Edit: the explitives in the code were replaced with $$$$, decompile the .class if you don't get it.

In an attempt to figure out if there is, as the wookie suggests, an easier way to do this, I'm going through the code doing a search and replace on the variable names with more descriptive names. Anyone interested in the modified code should PM me.

yeah brute force can't be the only way, because that would also strain his server. can someone send me the class file or the url for level 9? i dont feel like going all through the other 8..lol..too tired and dont have time and im too lazy

Here are the two decompiled class files. They're text files, so you can open them in notepad.

I've looked over the source, and the only way to do it is through brute force. As long as 'Ab' is in the password somewhere, it will redirect you.

vasanth, you've made a mistake!

The files you've generated has upper-case B and C, but it should be lower-case (the server is case-sensitive).

Hehe, two hours of scanning in vain...

Vasanth! Gah, you make me sad. Are you going to fix that, or are we aborting?

those variable names are a pain in the ass

Never mind, I found the code for level 9!

If you'd like it, PM me... I don't want to spoil anything if you want to try yourselves.

yeah, they sure are. I didn't finish renaming them...mostly because I don't know Java, but also because I got bored. I think I may have only done two or three names, but it should be helpful, because I got some of the important ones (I think...they could be bad names, but they're still easier to read)

Change the extension on that file to .java

guys brute force is the only way.. since the pasword in no way stored in the applet.. it just redirects you to an HTML file based on the password.. and it will do it if there is an Ab in the pass..
any way Sang-drax has finished it.. i have PMed the other two with the password as they were a part of the crackin group.. and sorry guys for generating the URL with upper case.. i did not know the server was case sensitive..

now at level 10.. In level 10 the checking seems to be made at the client side itself.. But uses some complex algorithm to check and does not give away the pass as it is.. but should be easy since no server attack is needed.. any way workin on it.. will PM you if i get the result..