Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 19
Guests Online: 17
Members Online: 2

Registered Members: 82807
Newest Member: Black Hawk
Latest Articles

Real 14.

Arrow Image Easy guide to completing real 14.



Ok, this challenge consists of looking at the "structure" itself rather then doing a lot of looking around in the source etc.

Ok, you notice it say's FLog on the page. FLog? What is that? It is hbh native? Don't think so. Look at the side of the page where it says powered by FLog. If you view the source, you'll notice it's a link obviously. So click it! Hmm...it brings you to the authors home page. Interesting. Does it have any relevance to hbh? No, it doesn't. After all he's a hbh hater >: ( lol. Ok, ok, so we know this wasn't actually set up by hbh, it is powered by something other then it. Try going to releases and what not ;) just conduct a research on the product, and accumulate that information towards your advantage. As a big hint, why not google "FLog" flaws? ;)

Ok ok, did you find it? Good, but what on earth is that password thingy :S it's so confusing he can't remember that. That, my friend is a md5 hash. To get it into plain text, you'll need the following:

A hash dictionary attackin' program. I recommend hackin' the box, get it at hackinthebox.no-ip.org/HTB.exe. Or google "john the ripper"

Next you need a good wordlist. Basically, the program will read from the wordlist and try all words from within it to crack the hash. If it indeed matches with the hash, then it will give you a nice output. And we all aleady know what the login name is, so once you crack the hash, login, do what you got to do and congratulations, 40 points have been added ;) and thanks for reading my article, it's my first and I hope it helped!

*it's a fairly easy challenge, but I guess it gives you a good practice on finding 3rd party bugs*

Comments

F4k3on August 25 2006 - 22:20:51
that's cool!
hack4uon August 25 2006 - 22:45:13
yeah very simple real my real and SE are both gonna be hard level challenges Smile
-The_Flash-on August 25 2006 - 22:47:31
Could also mention downloading the flog and setting it up to see where important information can get saved is a possibility. Also MD5 Library on AIM can crack Md5 hashes almost instantly
What_A_Legendon August 25 2006 - 23:26:57
it was simple but i would of looked for a flaw for hours if it wasnt for this article eplaining u have 2 research Pfft
tancurromon August 25 2006 - 23:45:39
the md5 libraries were def the way to go if you know how to use jtr and cain already
Aciid_nuk3ron August 26 2006 - 00:14:37
Yeah md5 library is good, I submitted some 2800 words I believe =) type top 10 I'd be that bahbahbah guy lol
soloon August 26 2006 - 09:59:50
yeah i agree with the_flash,,, by downloading and setting up the flog we come to know where the critical info is going and how the Flog is behaving... Smile
AldarHawkon August 26 2006 - 15:43:57
I am very disapointed that this is already allowed. the challenge was just released and the article that tells the exact way to beat it is allowed within like 24 hours! WTF!
spywareon August 26 2006 - 22:27:21
don't worry too much alderhawk Wink I like the challenge.. but it's just too easy. It needs a part 2 or something. anyway, don't use jtr, use google Pfft
AldarHawkon August 27 2006 - 03:36:24
It has nothing to do with the difficulty of the actual challenge. Just the fact that it was released in 24 hours of the challenge being released is what is pissing me off. If you created a challenge and someone released an article on how to beat it less than 24 hours after it was released you would be upset too. I am working on a harder one now BTW. I do not know if it will be usable but we will see Wink This one will use quite a few tricks of the trade that are not even listed on this site.
omniwrath540on June 19 2007 - 21:31:08
i didn't download Flog i just google flog exploits. now just cracking the hash with C&A
NightSpyderon October 08 2008 - 01:46:54
Hey, I've been trying to do this challenge for some time now but everytime i get the chance to do it, there is something wrong with the information I seem to find on Google. The website for FLog is halted by its host. I found a site that gave me a link to the exploit and the site is no longer available. I'm seriously picking my brain to do this challenge, and it just seems like I am never going to get it done.
yutsion October 28 2011 - 23:37:27
It sucks that the author's website is gone, I have to use wayback machine.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.