Donate to us via Paypal!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Friday, December 04, 2020
 Need Help?
Members Online
Total Online: 80
Guests Online: 79
Members Online: 1

Registered Members: 130836
Newest Member: hesterkk2
Latest Articles

Pen-testing challenge help

Arrow Image Guide how to begin with, and hopefully finish the pen testing challenge ( no spoilers, minor hints )

In this article, I will try to explain how to complete the pen-testing challenge, hopefully with no or very very minor spoilers.

Before even thinking about this challenge, you should have finished majority of the basic challenges, or have knowledge and understanding of basic web exploits including:
SQL injection
Javascript injection
Include exploits
Full path disclosure (
XSS ( Beside a lot of HBH articles etc. helped a lot)
Session poisoning (
DoS ( If you've got no idea what the hell is this, you can start here )

Tools required:
You shouldnít need any special tools. Only thing I used was Tamper data, an Add-on for Mozilla Firefox. It's also good to use Live HTTP headers.

This challenge should work as a confirmation of your skills acquired either from basic and realistic challenges or other resources, and should ensure youíre ability not only to apply the knowledge, but also finding and identifying where you can apply that knowledge ( ability to look for the exploits ).
The objectives are to find and exploit any possible vulnerabilities, compromise security of the web site, and beside other things possibly get access to member/admin accounts.

For all the exploits, use as basic syntax as possible !!

Now to actual challenge, so you go to the pen-testing challenge, and there is the link to the web site, and also wow a username and password to login, thatís easy, but as you will find out later, it doesnít work, so donít really bother trying ...

Ok so now we can start with the pen-testing itself:
First off you should start with observation, go through all the pages, check the source code, look for any clues; maybe notes within the source, any input areas, variables passed in url etc.

By now, you should have identified at least two most obvious possible exploits.
For the first one, since you can't login as member, maybe you can do something else ( if you don't know what, read the objectives dumbass...) But what to input?! Maybe it uses some kind of common database, so what is the most common exploit for that?

The second exploit should be even more obvious; when you're browsing through the web site, it may worth looking how some of the files are accessed. Yeah, second exploit found ( After exploiting those, you should have 40 points ). But it doesn't really work, since we don't get the page requested. Then I suppose it's different type of exploit, so what did we actually get from exploiting it?

General advice: ALWAYS read the error messages, because they may include vital information.
Content of what you get from the error message will help you finish one of the exploits ( just be looking at it, even without knowledge of the code you should get the idea what is it about ) which is covered later.

Now as you've logged as admin, something changed, you have one more page available. And there you can find a lot of input fields, which can be submitted to the server. That's just perfect for what kind of exploit ?!
Let's try all the fields... Hmm, nothing happens, but wait have you really tried ALL the input fields ??

At the moment you've finished the basic web exploiting, now we can move to the more difficult part:
For the DoS attack, it may seem there is nothing to exploit, but look again, maybe it could be LFI exploit kinda like Realistic challenge 12 has had, or it could be in some unexpected place, where you'd expect e.g. blind sql injection to be more likely. Got it?! Good, now just look what you input in it and think of the easiest way how could you overflow it ( how you can get error on calculator ? ).

For the last exploit, get the error message and just 'follow' it. Here you are presented a code which is used on the site to gain admin access ( what the hell is the last bit of url of all the pages ?! ). If you have little knowledge of PHP ( how could you 'end' the session *hint*with what you finish every line*hint* ) session poisoning ( and common sense, this exploit should be piece of cake. To be more specific, you don't poison the session, you have to end it, and set a new one, based on the code from the file from the error code. Again use as simple syntax for that as possible; some people over think this, but as a matter of fact, the code you have to set your session to is given to you...

If you can't find anything after this article, just do more research, learn more, and leave pen-testing for some time, until you have the necessary knowledge and abilities.

Sorry for not being clear, and specific ( some might say confusing :)) most of the time, but if I included any more spoilers ( I still think there are too much, but I'll leave it like that ) it would ruin the whole point of this challenge ( for same reason I don't go too much in depth and leave most of thinking on the reader )... I also assume at least basic knowledge of all the readers, because I think this challenge is not for newbies.
As this is my first article, I'd appreciate any comments/suggestions for improvement.

Lastly sorry for any inconvenience due to repetition, bad grammar and also 'over punctuation', which I tend to do a lot, although I tried to prevent as much errors as possible...

Thanks for reading


SaMTHGon June 22 2008 - 10:58:43
Bravo.Not too bad,not too bad at all rated very goodGrin
COMon June 22 2008 - 13:28:28
Feels a bit vague at some points, but since it's not supposed to reveal too much, there isn't much to do about it. That's why articles about challenges can only be so good. Generally, well done.
crashbirdon June 22 2008 - 14:41:27
Good Job! Only wish i had got this earlier before doing the missions. The problem with giving hints is that until you get it right it seems to less and when you've got it, it seems to reveal it a lot.
clone4on June 22 2008 - 17:13:46
@COM: true, but I always prefere vague then spoiling... Smile @crashbird: yeah it was the biggest struggle to find the right amount of hints etc... Anyway I'm still thinking about editing the session part, I didn't put there enough info, but the problem is that once I give one more clue, it's obvious to everyone. I gotta think it through and maybe I'll edit it later today/tommorow ( otherwise I will just leave it like this Wink)
skathgh420on June 22 2008 - 18:49:50
good job helpful hints but no big spoilers well done Grin
system_meltdownon June 23 2008 - 00:46:37
There is no file inclusion exploit, it's a full path disclosure exploit... And the "session poisoning" exploit, isn't session poisoning at all, it's an exploit which manages to SET a session, not POISON an existing one.
clone4on June 23 2008 - 07:59:25
@system: Wow about the include exploit it's true, I always thought that the points are for 'including' something else, and the error message as a separate part of other exploit. You're right with the second point, I'll correct that as well. Question, if I edit article and submit it again, does it have to be again reviewed by the admins ?
clone4on June 23 2008 - 08:17:34
Article updated!! The 'include' mistake and session poisoning are corrected. Thanks system for that comment, I hope you won't find more misleading info...
Uber0non June 23 2008 - 17:53:56
Well done clone4, it makes me happy to see a user who actually improves an article after it has been submitted Smile
TrueHackeron June 24 2008 - 17:55:29
Very informative article.
system_meltdownon June 26 2008 - 17:26:01
Nice work updating Smile As Uber0n said, glad to see people who amend their work Smile Very good article, nicely written, good job.
Blackmercuryon July 12 2010 - 06:07:35
could you write one for pen2? plz
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.