Follow us on Twitter!
It is never to LATE to become what you never WERE.
Wednesday, April 16, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 11
Guests Online: 11
Members Online: 0

Registered Members: 82800
Newest Member: santana1744
Latest Articles

Realistic 11

Arrow Image Detailed tutorial to beat the most difficult Realistic challenge (worth 150 points)! May contain spoilers!

Detailed tutorial to beat the most difficult Realistic challenge (worth 150 points)!


Clear the database
Delete all the pages

*Skills and prerequisites*:

Basic programming skill (cURL, PHP, Javascript, HTML)
Application cracking and debugging


Let's view the homepage: there's not so much there, so have a look at the Staff page. From there you will be able to see a picture and a list of names.
Now click on "Client Login". That page has got a (very basic) protection: when you insert a bad username/password combination, the form fields will be disabled and you'll be locked out. If it happens you should simply delete your "PHPSESSID" cookie and refresh the page. Click on "Help": the last point is very important. Now you should try every username you've found on the "Forgot password" page: there's only one valid user. Write down that username. Now you need its password. Go back to the login page... but, wait. What's the form action? Go to that URL, you'll be redirected: that's not what we're looking for. You need to view the source of that page: you'll find something very interesting! Ok, now you have the password too, so log in.

In the admin panel you'll have two options: "Remove Database" and "Delete Pages". You should complete them in that order.
You'll clear the database by doubling a random number and submitting it in less than one second. You will realize that it is impossible to do that manually: you'll need to code up something for that. The simplest solution is to use Javascript: use document.body.innerHTML to retrieve the page content and location.replace("***?number=***") to submit the form.

In order to delete pages, you'll have to download a certain software called "KeyCheck". It is a Windows executable, and obviously it is a FILE. In which directory would you place a FILE? Ok, now it's time to crack it: open it with OllyDbg. Right click on the main window and choose "Search for -> All Referenced Text Strings". You'll notice that there's a nice UNICODE value there. You should convert it to another format, and CAPITALIZE (hint!) the result in order to pass the password check. The "Check" button is now named "Decrypt". Insert the random string provided by the admin panel and click on "Decrypt". Paste the result.

Congratulations! You've completed the challenge, and earned 150 points!

Please feel free to rate this article if it has been useful for you :)


JohnDoeon March 11 2007 - 19:22:21
Nice article miki, I wanted to do it with JS before but I was missing that little part Grin
Larikaon March 11 2007 - 21:27:04
Nice the javascript part.
JohnDoeon March 11 2007 - 21:47:24
This should help all of you guys out -> http://www.w3scho. . .string.asp
What_A_Legendon March 11 2007 - 23:58:06
Nice article helped me het so far,
mikispagon March 12 2007 - 12:28:47
Thank you for your great ratings and comments! I'm glad to help you!
Itachi Uchihaon March 13 2007 - 07:06:52
Nice one.
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.