Follow us on Twitter!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 28
Guests Online: 25
Members Online: 3

Registered Members: 82824
Newest Member: devilslegion
Latest Articles
View Thread

HellBound Hackers | HellBound Hackers | Comments and Suggestions

Author

basic challenges - new ideas + csrf challenge ;)

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 07-09-08 17:03
I've had that on mind couple of days, sometime ago I realized that there isn't one single basic web challenge involving csrf, so I was just thinking that it would be good idea to add some challenge like that. I guess some guest book with bbcodes, and you would have to lets say lock the thread or delete it. So I was just wondering if you people like the idea, or have any other better? And because csrf it quite common vulnerability I think we shouldn't ignore it like this.
Any comments would be great...


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl



Edited by clone4 on 14-09-08 11:32
clone_4@hotmail.com
Author

RE: basic challenge -- csrf


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-09-08 17:31
A CSRF challenge would be interesting. Why don't you code one up and submit it? Smile

I think I'd rather see more Pen-Test challenges, though; they could include numerous concepts, while making it more realistic.


Author

RE: basic challenge -- csrf

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 07-09-08 17:36
Zephyr_Pure wrote:
A CSRF challenge would be interesting. Why don't you code one up and submit it? Smile


I've been working on it for a little while in the morning Smile it's just quite hard, since my php coding skill is pretty poor, but that means that I can only improve and this is actually brilliant practice:happy: so yeah I will give it a shot


I think I'd rather see more Pen-Test challenges, though; they could include numerous concepts, while making it more realistic.


That's true and current pen testing challenge is slightly outdated, but it's hard to do something like that, since you would actually have to code whole pages or CMS for instance.


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl

clone_4@hotmail.com
Author

RE: basic challenge -- csrf

Futility
Member



Posts: 725
Location: USA
Joined: 17.12.07
Rank:
God
Posted on 07-09-08 17:37
Actually, I think moshbat has made a new pen-test challenge. It's still in the already-submitted-but-still-not-accepted phase. I think. Don't quote me on it.

As for the CSRF challenge idea. It definitely sounds good. Maybe somehow incorporate it into a realistic (or pentest) challenge. It'd be nice to see some more of those.


i252.photobucket.com/albums/hh11/zanimabean/Zim.png
Futility91@hotmail.com Futility91
Author

RE: basic challenge -- csrf

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 08-09-08 22:08
moshbat wrote:

system has said it will be released. Not too sure when, though.



All we can is hopeSmile, I think along with those, timed 7 should be released as well.

Anyway I'm about halfway there, got guestbook, and vulnerable bbcodes, now issue is what actually to do, so far it's only possible to delete single posts there. I was thinking to put there some hateful 'constant' post which challenger would have to delete, but this'd be quite easy, so I'm opened to any suggestions... ( im also gonna be looking into filters/evading filters in csfr to make it little harder Smile)


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl

clone_4@hotmail.com
Author

RE: basic challenge -- csrf

fashizzlepop
Member



Posts: 482
Location: Old folks home.
Joined: 08.04.08
Rank:
Moderate
Posted on 09-09-08 03:40
There could also be a simple chall for this like you have now. And then always make more. Hell, it could even become a "group" of challs. I am very curious about this stuff as I don't know much aboot it.


"The definition of insanity is doing the same thing over and over again and expecting different results.
~Albert Einstein~


csullivan.codeinspire.net/images/boomsig2.png
fashizzlepop@gmail.com http://csullivan.codeinspire.net/
Author

RE: basic challenge -- csrf


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 09-09-08 03:52
fashizzlepop wrote:
There could also be a simple chall for this like you have now. And then always make more. Hell, it could even become a "group" of challs. I am very curious about this stuff as I don't know much aboot it.


Then... come up with an idea for one and code it. Even if it doesn't get accepted or used, you'd gain an understanding for how to make something vulnerable and how to focus on particular vulnerabilities. Give it a shot. Smile


Author

RE: basic challenge -- csrf

fashizzlepop
Member



Posts: 482
Location: Old folks home.
Joined: 08.04.08
Rank:
Moderate
Posted on 09-09-08 06:02
I'm really busy right now so I was aiming that towards the op.


"The definition of insanity is doing the same thing over and over again and expecting different results.
~Albert Einstein~


csullivan.codeinspire.net/images/boomsig2.png
fashizzlepop@gmail.com http://csullivan.codeinspire.net/
Author

RE: basic challenge -- csrf

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 09-09-08 22:24
fashizzlepop wrote:
There could also be a simple chall for this like you have now. And then always make more. Hell, it could even become a "group" of challs. I am very curious about this stuff as I don't know much aboot it.


Actually Infam0us helped me to make it little bit harder Smile I'll see how people will like this one, then you can talk about expanding it Wink

Anyway now I'm little(read a lot) stuck on very last issue, which causes that I can't release it even for testingSad. So if there is anybody fairly skilled in php willing to help, I'd really appreciate if you could pm me/contact me on msn/icq.


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl

clone_4@hotmail.com
Author

RE: basic challenge -- csrf


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-09-08 01:38
clone4 wrote:So if there is anybody fairly skilled in php willing to help, I'd really appreciate if you could pm me/contact me on msn/icq.


You can PM me and I will help if I can.


Author

RE: basic challenge -- csrf


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-09-08 08:35
This sounds like an awsome challenge.
I hope it gets release =]]
Nice One.



Author

RE: basic challenge -- csrf

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 11-09-08 17:28
OK boys and girls Smile Finally I'm done http://hellchall.. . ./index.php The task should be pretty obvious, there is guestbook with admin who really dislikes hbh, you wanna get rid of the insulting post, once the admin views the guestbook, and even though it's pretty secure, there is one hole... (For the most obvious hint just read the title of this thread Grin)

I have to thank to Infam0us, who helped with little bit of coding and mainly I used concept of exploit he found ( it's very realistic and quite common ). And also thanks to Zephyr_Pure, without whom, I'd be now probably still trying to finish the challenge.

Also this guestbook hasn't been coded by me, I wanted to do that, but didn't want to use mysql, so I've came across this guestbook, which uses file to store the posts ( and I wouldn't be able to pull something like this off with my current php skill ) however the actual exploit required quite a lot of coding as well as optimising the guestbook, so I put into it some time and effort. If I find the the readme file, I will credit the author, but so far no luck with that Smile

Lastly I hope you'll enjoy it and I'd appreciate any feedback...
Btw when you solve this, you will be redirected to the winning page.

Ok now it's all done, and all the filters I wanted to implement are there, so now it really begins Wink And luck to you all ( especially to you who try to xss it, by that I don't want to imply it's immposible though Smile)

one more edit Smile the admin post is hard coded, so if you think that you've bypassed the filters and actually solved this challenge in some different way then I intended, just test it on some of the added posts, and post it over here.

Also if anyone solves this challenge, and wants some info, or even source snip, just gimme a pm or post here Wink I assume that people here wanna improve their skills, so I won't be supicious as to if you really have finished, cause if not the real and only idiot is you


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl



Edited by clone4 on 11-09-08 23:20
clone_4@hotmail.com
Author

RE: basic challenge -- csrf

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 14-09-08 10:40
Sorry for the double post, but wanted to make sure this would stay at least for a while on the main page, so there you go Smile Don't know how many of you actually finished this challenge, there was quite a lot of attempts but mainly on xss not the csrf... Anyway this inspired me to code another challenge ( well the same environment, different exploit ), one of the few that is missing here as well, which is cookie stealing. This should be much easier then the csrf ( to code and solve Smile), so it should be out sometime by next week.

Btw have any of you who tried actually finished the current one, i.e get the "You win !" page ? When it comes to solving this challenge it's very strict, so I realized it might be actually very hard to get it right. But it's still on so Give It a Try !!


Again any suggestions appreciated, I started to learn php, and I find it really exciting doing it this way, so I don't mind expanding the guestbook, since you learn how to code securely, as well as how the filteres are bypassed, and you always find new ways of doing something, new functions etc...


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl

clone_4@hotmail.com
Author

RE: basic challenges - new ideas + csrf challenge ;)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 14-09-08 11:47
Dunno, im sure I got the main parts of it but it just wouldnt accept it so im guessin it only takes 1 correct answer, might wanna code a few possible ways of doing it into your next one, nothing worse than having the answer but it not accepting it coz of a semicolon or something like that.