Follow us on Twitter!
I'd prefer to die standing, than to live on my knees - Che Guevara
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 21
Guests Online: 18
Members Online: 3

Registered Members: 82885
Newest Member: ConiBE
Latest Articles

Real 4

Arrow Image A guide to a hard challenge *minimal spoilers*



Ok, when we first come up to this challenge, we’re faced with a fairly blank page.
Have a poke around, and then try the email box. Whoops redirected. Get around that and have another poke around. (From this point on every time you see a new page, have a poke around). Now, admins set their cookie? What could that be. Worry about it later. Aha. Now we have a directory, so go there.

Now we have a login, you might try injecting it with the admin user and a nice sql injection? OR, you could try the details we’re given in the challenge description. So we have a look around, nothing of use… except the search option. Try whatever you want, you’ll get the same error, so go back and do what it says.

A list of users? But with no passwords (come on, it’s never that easy). You could try to inject the member search page, or you could do it the easy way. There aren’t many tools around here that look very admin-like, look around all the pages you’ve been to so far until you can find the admin section. **hint open source, Ctrl+F, search for admin**

Now that you’ve found it and we have the username, but no password! Not to worry, what pages are in the user section? There are probably the same pages inside the admin section. Now that we’re in there we need to revisit what we’re actually trying to do. We want to erase Ghosts records. What page holds all the data? <<**hint**>> go looking for the records. Now that we have found them go do some research on actions and PHP, it’s not too hard.

Now that we have that we need to clear the logs, we don’t want to get caught now do we? So we use the same principle we used to find the records. Now, what did we get just before? Use that and be done with this well written challenge.

**for the record, when I said worry about the admin cookie later, I meant MUCH later, ie never.**
***if this article helps you please rate it....****

Comments

minermonkon August 16 2006 - 01:49:53
i like the way this article gives a general overview of the challenge without giving away to many spoilers, should make some users lifes a bit easier. to bad i compleated this a few days before Wink
richohealeyon August 16 2006 - 03:31:41
thanks heaps miner, it's my first attempt. I worte it like this because it pissed me off when i read an article hoping for a little hint and it all but gave me the solution. if anyone thinks i should add remove amend fix anything, please say.
BluePainon September 15 2006 - 17:42:56
hum, this artciel was quite a mess. I dident unedrstand all so I did work on my own. But I did get som help and hnts frome it. (havent finnished the challanges yet, cant find out how to delet the logs)
R3M0T3 H4CK3Ron September 23 2006 - 08:45:53
i agree with bluepain, it is a bit of a mess but i cant find out how to delete the records
richohealeyon October 06 2006 - 01:45:21
i didn't want to give away the answers, just some hints to people who were struggling, so i was fairly unspecific abut how to do things. If i was writing an article about defacing a page, i would have gone into detail about how to delete logs, and avoid detection, but sice this is a challenge, i thought you might want to work it out a bit for yourself. these articles aren't intended to be like recipes, that you can follow precisely and be sure nothing will go wrong or force you to think.
loxaXcrackeron October 06 2007 - 14:37:39
you have 100% confused me...
jacobcapraon April 29 2008 - 22:41:12
i'm stuck on just getting passed the stupid re-direct.... i have an add-on that lets me edit pages but for some reason i can't edit the refresh tag.... idk? tips?
jacobcapraon May 20 2008 - 22:42:53
ok nvm... now im at where to find the ghost records from the admin panel.??
Hertzon August 19 2008 - 13:07:52
how to make the page do don't redirect,i mean to remain on the login page.I deactivated JavaScript!
RedDragonon August 26 2008 - 16:37:00
if you are fast, you can stop the redirection with ESC ! Wink
thetrojan01on April 22 2009 - 10:56:02
Or just go to your browser's option and select Warn before redirection.
Lemminkon February 07 2013 - 11:18:58
or google hack. inurl:"some good stuff" will get you pretttty far. But not all the way. Frown
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.