HiddenLinking

Url stuff

If you try urls like this:

http://www.ilovebees.com/a/bla.html

http://www.ilovebees.com/bla/.html

you get an empty page back.

If you leave off the .html part you get the 404 page.

This happens for / \ and ~ (%2f %5c and %7e)

http://www.ilovebees.com/a|b.html

http://www.ilovebees.com/a|.html

You will get a login prompt.

If you leave off the .html part you get the 404 page.

This happens for " %3f and | (%22 ? and %7c)

ilovebees is running ASP.NET

Note that

* .html * .gif * .jpg * .txt * .aspx

all have the same effect. These extensions are mapped on the server to applications (no other extensions I tried worked).

Since it considers .aspx an application extension I think it can be concluded that the server is running ASP.NET.

~ not necessarily. www.ilovebess.com/default.aspx returns a 404 and netcraft lists two Apache/mod_ssl/PERL/PHP servers and one Windows 2003/IIS server, so it's likely a multiserver farm. Apache is probably serving the bulk of the web pages, and it might have some ASP connectivity. --UserGunsmithCat 05:32, 10 Aug 2004 (PDT)

~ well, putting a |, ", \, ~, / or %3f in a url ending with one of these extensions triggers something other than a 404. Most likely all the extensions listed above are handed off to one or more applications running on the IIS server. Since no .php, .jsp, .cgi, .asp, or other extension causes the same reaction I assume they are using ASP.NET for the dynamic content handling (all .html, .gif, .jpg, .txt and .aspx requests get their response from such a dynamic handler. The 404 error page is also handled by an application as it is dynamic.) This knowledge is useless ofcourse, but it does provide some insight in the setup they're running. --UserKender 06:20, 10 Aug 2004 (PDT)

Internal Server Info

I grabbed the NTLM handshake message from the server when trying the login prompt mentioned above and decoded it.

The most important part of info is that I apparently ended up on a server with the internal address of 50472-WEB2.iad.intensive.int

Update: A lot of RackSpace hosted servers that have nothing to do with the game have a ***.iad.intensive.int internal name.--UserKender 06:48, 5 Aug 2004 (PDT)

This is the complete base64 decoded NTLM challenge message with my analysis:

4e544c4d53535000 NTLMSSP signature

02000000 Type 2 indicator

0600060038000000 Target Name Security Buffer:

Length: 0x0600 = 6

Allocated space: 0x0600 = 6

Offset: 0x38000000 = 56

05828902 Flags:

00000005 ?

00000200 Negotiate NTLM

00008000 Negotiate Always Sign

00090000 ?

00800000 Negotiate Target Info

02000000 ?

00752E88F7457192 Challenge

0000000000000000 Context

a600a6003e000000 Target Information Security Buffer

Length: 0xa600 = 166

Allocated space: 0xa600 = 166

Offset: 0x3e000000 = 62

0502ce0e0000000f Unknown

Start of Target Name (offset 56)

490041004400 Target Name = IAD

Start of Target Information (offset 62)

0200 Domain name Subblock

0600 Length = 6

49004100400 Domain Name = IAD

0100 Server Name Subblock

1400 Length = 20

350030003400370032002d005700450042003200

Server Name = 50472-WEB2

0400 DNS Domain Name Subblock

2200 Length = 34

6900610064002e0069006e00740065006e0073006900760065002e0069006e007400

DNS Domain Name = iad.intensive.int

0300 DNS Server Name Subblock

3800 Length = 56

350030003400370032002d0057004500420032002e006900610064002e0069006e00740065006e0073006900760065002e0069006e007400

DNS Server Name = 50472-WEB2.iad.intensive.int

0500 Parent DNS Subblock

1a00 Length = 26

69006e00740065006e0073006900760065002e0069006e007400

Parent DNS = intensive.int

00000000 Terminator

--UserKender 03:43, 5 Aug 2004 (PDT)

Something strange on the 404 page

I checked not all of them but a few and when you get the 404 error page it says "The server has not found anything matching the Request-URI." notice the mistake of UR"I" I dont know if this is relevant at all just thought I would through something in here as a new member. Also I think I remeber there being another mistake with and I instead of 1 somewhere else on this ARG.

- Mack Swift

*URIs

This document defines a way to encapsulate a name in any registered name space, and label it with the the name space, producing a member of the universal set. Such an encoded and labelled member of this set is known as a Universal Resource Identifier, or URI.

The universal syntax allows access of objects available using existing protocols, and may be extended with technology.

The specification of the URI syntax does not imply anything about the properties of names and addresses in the various name spaces which are mapped onto the set of URI strings. The properties follow from the specifications of the protocols and the associated usage conventions for each scheme.

*URLs

For existing Internet access protocols, it is necessary in most cases to define the encoding of the access algorithm into something concise enough to be termed address. URIs which refer to objects accessed with existing protocols are known as "Uniform Resource Locators" (URLs) and are listed here as used in WWW, but to be formally defined in a separate document .

MoinMoin Powered

EditText of this page (last modified 2004-08-25 05:10:11)

Or try one of these actions: LikePages, LocalSiteMap, SpellCheck