Follow us on Twitter!
One mans freedom fighter, another's terrorist.
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 16
Guests Online: 15
Members Online: 1

Registered Members: 82904
Newest Member: jamessmith123
Latest Articles
View Thread

HellBound Hackers | Challenges | Pen Testing Challenges

Page 1 of 3 1 2 3 >
Author

Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-10-07 07:04
i figured that since the last pen 1 forum had 60+ replys, its time for a new one

im stuck, so far ive found

the secret directrory
logged in as admin
found some php code talking about an admin panel
found exploit on another page (dont want to give it away)

now im trying to find and exploit on the "m3mb3r t0015" page, i think its xss, not sure, any help? even when i enter normal values nothing seems to happen.




Edited by on 27-10-07 00:13
Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-10-07 10:30
... hmm ... m3mb3r t0015 ... ahh yes

You read the notice?

NOTICE: These values are not posted yet, we have not completed the profiles pages.
They are only viewed by admins at the moment.

What should the admin read? And what may not be check?

Look at the page and think about it, you'll get it.

Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-10-07 00:13
ok, i found an exploit, but i guess it wasnt good enough to get any points, i included index.php so it would go on for infinity, and it was stopped by the challenge, guess that one is too easy haha.

i also found another page that says that the admin panel is still being made, i dont know what to do from here, im stuck in the same spot as before.




Edited by on 27-10-07 00:15
Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-10-07 00:23
I'm thinking you can in***** a s**** perhaps? Find out whats actually on the site.


Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-10-07 00:27
already tried that, i keep getting the you already found this exploit alert


Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-10-07 00:41
yeah, I'm trying to find a way to get it in... because I'm sure there's a way!

If only Richo would get on or Sleaz would get off the pot haha. I need to learn a bit about PEAR I think... unless... RELATIVITY!!!


Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 27-10-07 00:49
whatever the problem is i cant figure it out haha, PEAR.....ohhhhh PEAR, i have no idea what that is. google /pear, that what i did, theres a wiki article.




Edited by on 27-10-07 00:52
Author

RE: wtf


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 29-10-07 22:23
altho i have it so im an admin i can see view any more than i could b4...what the poop?
Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 29-10-07 22:43
noober wrote:
altho i have it so im an admin i can see view any more than i could b4...what the poop?


It's a simulated environment. And don't use the word "poop" in a serious question; it makes your post suck.



Author

RE: bah


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 29-10-07 22:48
seeing as the site doesnt let you use the word fuck i sub with poop seems far to me
Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 29-10-07 23:31
noober wrote:
seeing as the site doesnt let you use the word fuck i sub with poop seems far to me


Well, though that is an accurate statement, it is irrelevant. I think the creators of the challenge meant for the admin login to not have any more privileges to prove:

"Admin credentials are not the answer to everything, and not always easily obtainable."

Sometimes, you have to use exploits that would utilize alternate credentials without the credentials being available. Also, if the admin login did give you any more privilege, then it would've made the challenge easier. Ultimately, that would've made the challenge less effective in teaching viable technique.



Author

RE: indeed


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-10-07 00:11
i suppose your right. Just working on using those nooblet credentials somehow
Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-10-07 00:20
noober wrote:
i suppose your right. Just working on using those nooblet credentials somehow


*cough, cough* Diversion! :ninja:



Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-10-07 01:58
noober wrote:
i suppose your right. Just working on using those nooblet credentials somehow


*cough, cough* Diversion!



yeah...they're not meant to be used at all (unless there's a 6th exploit I haven't found or something) Smile

Now, to your problem on the member tools page, you're on the right track.
How many fields do you have in the form?

http://www.hellboundhackers.org/challenges/basic13/index.php

ever done that challenge? How did you do it? Pfft

Note: Web Developer Toolbar makes this very easy Smile


Author

RE: Pen 1, new

Flaming_figures
Member

Your avatar

Posts: 209
Location: ΦΠΥΔΓΙΦ
Joined: 28.06.06
Rank:
Apprentice
Posted on 30-10-07 02:55
I knew I had to do something with that I just cant din out what... Tried some different injections with no luck...


Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-10-07 03:01
with the forms? do you know anything about XSS? Wink


Author

RE: Pen 1, new

Flaming_figures
Member

Your avatar

Posts: 209
Location: ΦΠΥΔΓΙΦ
Joined: 28.06.06
Rank:
Apprentice
Posted on 30-10-07 03:04
Lots... do we have to use actual scripts (way too lazy to script something up right now) or is just making it look like you know what you are doing?

edit:
Wait... if they were being nice when they were doing it it may be a R*****I (incorrect *s)




Edited by Flaming_figures on 30-10-07 03:06
Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-10-07 03:10
I don't know what starts with R and ends with I...

but no, you don't need a full script, read up on some simple XSS exploits...


Author

RE: Pen 1, new


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-10-07 06:46
im still havin a hard time wit the xss on the member tools page haha, im stiill reading up on xss though.


Author

RE: Pen 1, new

Flaming_figures
Member

Your avatar

Posts: 209
Location: ΦΠΥΔΓΙΦ
Joined: 28.06.06
Rank:
Apprentice
Posted on 30-10-07 11:25
Re**** F*** In******* and L**** F*** In*******. Thanks skunk you saved me lots of wasted time with that comment Smile


Page 1 of 3 1 2 3 >