Main:| XSS in Basic 26 | |
| User | fallingmidget |
| Reward | 25 points |
| Description | fallingmidget was able to bypass filter and insert her own javascript into the page. |
| CSRF Via Variable Injection | |
| User | system_meltdown |
| Reward | 35 points |
| Description | system_meltdown was able to use a variable injection string (http://www.hellboundhackers.org/?_POST=lol=rofl.png) inside an image tag which would log someone out. |
| Real 17 Compression Stream Exploit | |
| User | MrBlueSky |
| Reward | 180 points |
| Description | MrBlueSky was able to find a exploit in real17, this exploit allowed him to run a zip stream, to backup the config files and then proceed to download them. |
| XSS | |
| User | Uber0n |
| Reward | 40 points |
| Description | Uber0n found multiple XSS vulnerabilities in the site. |
| Server Security | |
| User | richohealey |
| Reward | 100 points |
| Description | richohealey found and removed several malicious files that were uploaded onto the server and could have been used to cause damage. |
| DNS Injection | |
| User | richohealey |
| Reward | 200 points |
| Description | richohealey found and fixed a DNS exploit on the server which would of enabled him to redirect the website to any location he wanted. |
| Access to Database | |
| User | only_samurai |
| Reward | 200 points |
| Description | only_samurai was able to remotely brute force the database and thus gained full access! |
| Profile Page XSS | |
| User | Th3Gamester |
| Reward | 50 points |
| Description | Th3Gamester exploited HBH's dynamic titles on the profile page and injected XSS by requesting a page such as /profile/xss.html and has been awarded 50 points. |
| SQL Injection | |
| User | K_ros |
| Reward | 100 points |
| Description | K_ros found a SQL Injection in the PM system and could execute his own SQL queries. |
| XSS | |
| User | sasi2103 |
| Reward | 25 points |
| Description | sasi2103 was able to inject javascript onto the page in real 2 by manipulating the PHP_SELF variable. |
| CSRF | |
| User | only_samurai |
| Reward | 15 points |
| Description | only_samurai was able to ban, unban, and delete any member he made by a CSRF in his profile when viewed by an admin. |
| Messages XSS | |
| User | Uber0n |
| Reward | 30 points |
| Description | Uber0n found a XSS hole in the messages pages that allowed him to inject code and send it to members. |
| Held off a DDoS attack | |
| User | only_samurai |
| Reward | 80 points |
| Description | only_samurai held off an extremely large DDoS attack on the hbh server and ensured the website suffered 0 downtime! |
| Phishing via [IMG] tags | |
| User | The_Cell |
| Reward | 80 points |
| Description | The_Cell was able to trick members by asking them to enter their login details. The_Cell then logged their username and password via a .htaccessed image |
| XSS in [mail] tag | |
| User | mr noob |
| Reward | 30 points |
| Description | mr_noob was able to take over any page with his sig by bypassing the [mail] tag and adding styles. |
| XSS in [mail] tag | |
| User | thk-geo |
| Reward | 15 points |
| Description | thk-geo was able to make an alert box pop up if a user clicked on a link in his sig. |
| CSRF | |
| User | mozzer |
| Reward | 100 points |
| Description | mozzer was able to edit users titles, user notes and profiles just by sending them a link to his site. |
| XSS | |
| User | spyware |
| Reward | 50 points |
| Description | Spyware was able to inject XSS into the forums, which was executed for people using the following browsers: IE6, Opera, and Netscape, he has been awarded 50 points for this. |
| XSS | |
| User | only_samurai |
| Reward | 30 points |
| Description | only_samurai was able to inject html into the shoutbox that would only be visible to admins via the shoutbox administration tool. This could enable him to redirect an admin to any page he wished. |
| Denial of Service | |
| User | insidious |
| Reward | 70 points |
| Description | Could of caused a Denial of Service attack on HBH by bypassing the filter on real 12 and including a certain page. |
| CSRF in Avatars | |
| User | mozzer |
| Reward | 35 points |
| Description | mozzer was able to use php to utilize CSRF in avatars |
| Denial of Service | |
| User | mozzer |
| Reward | 70 points |
| Description | mozzer could of caused a Denial of Service attack on HBH by bypassing the filter on real 12 and including a certain page. |
| CSRF in avatar | |
| User | Xenoix |
| Reward | 30 points |
| Description | Xenoix was able to put the HBH logout url into the avatar field and make people logout when they viewed a page with his avatar on. |
| Various Challenge XSS | |
| User | K_ros |
| Reward | 50 points |
| Description | K_ros managed to find various XSS holes in many of the challenges and has been awarded: 50 points. |
| Blind MySQL Injection | |
| User | system_meltdown |
| Reward | 100 points |
| Description | system_meltdown found a blind mysql injection vulnerablity in the PM system |
| Real 12 Filter | |
| User | K_ros |
| Reward | 80 points |
| Description | K_Ros managed to bypass the filter on real 12 again. This allowed him to view any file or directory he wanted on hbh, or even include his own shell. |
| XSS | |
| User | K_ros |
| Reward | 30 points |
| Description | K_ros found a Cross Site Scripting exploit in the newsletter panel. |
| SQL Injection | |
| User | wolfmankurd |
| Reward | 200 points |
| Description | Found a blind SQL injection vunerbility in the PM system. |
| WhiteAcid | |
| User | WhiteAcid |
| Reward | 250 points |
| Description | WhiteAcid was able to find XSS holes in several areas of the site. From this he developed a exploit to allow him to steal plaintext passwords from any user he wished. |
| cURL Script | |
| User | system_meltdown |
| Reward | 40 points |
| Description | system_meltdown used a cURL script in PHP to view the admin shoutbox entries. |
| Realistic 12 - File Inclusion | |
| User | K_ros |
| Reward | 250 points |
| Description | K_ros was able to excape the files, by using escaped html to browse any directory or vew any file he wanted. |
| Realistic 12 - Remote File Inclusion | |
| User | IPYouFy |
| Reward | 200 points |
| Description | IPYouFy was able to exploit the filter of realistic 12's index page and he successfully included a shell which provided him full file access. |
| UBB - [URL] tag | |
| User | Jake |
| Reward | 50 points |
| Description | Jake was able to escape the filters in the [url] UBB tag and inject XSS |
| XSS in Realistic 8 | |
| User | system_meltdown |
| Reward | 30 points |
| Description | system_meltdown was able to include html tags in his refer. This refer was then logged in real 8 and anyone attempting the challenge would execute his code. |
| [IMG] Tag XSS vulnerability | |
| User | system_meltdown |
| Reward | 75 points |
| Description | system_meltdown was able to escape our filters and insert a line segment that would allow him to make an alert box on any page that allowed BB code. |
| XSS | |
| User | system_meltdown |
| Reward | 100 points |
| Description | system_meltdown was able to inject XSS into a function on the PM system. This could lead to stealing admin cookies. |
| XSS in members.php | |
| User | system_meltdown |
| Reward | 50 points |
| Description | system_meltdown was able to find xss exploits in the members.php page by using the unfiltered variables. |
| XSS in Avatars | |
| User | skarecrow |
| Reward | 100 points |
| Description | SkareCrow was able to inject XSS into the avatars. He used this to create a huge avatar that deformed the site's layout and could of stolen cookies. |
| Database Backup Scanner | |
| User | skarecrow |
| Reward | 150 points |
| Description | Skarecrow was able to make a C++ program to generate every possible combination of backups and then he would check them. And he would download the backups and crack the admin hashes. |
| XSS | |
| User | thegreatone2176 |
| Reward | 100 points |
| Description | TheGreatOne2176 was able to execute javascript into the submit article, submit link, submit news. |
| View Admin Threads | |
| User | thegreatone2176 |
| Reward | 150 points |
| Description | TheGreatOne2176 was able to enter a special id in the URL bar and he could see admin threads. |
| XSS | |
| User | FireSt0rm |
| Reward | 100 points |
| Description | Firestorm was able to inject XSS into the news comments and PMs. This could lead to the stealing of admin cookies. |
| Database Backup | |
| User | Jake |
| Reward | 200 points |
| Description | Jake was able to make a database backup without admin access and then download that backup and crack the admin hashes. |
