Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 20
Members Online: 2

Registered Members: 82893
Newest Member: mor-amit
Latest Articles
View Thread

HellBound Hackers | Challenges | Pen Testing Challenges

Page 2 of 5 < 1 2 3 4 5 >
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-10-07 14:32
I've found one easy exploit which gave me something and I found the directory and now I see the script for the something.

So I went and tried to use the something that I found and now it was like "YOU'RE NOT WELCOME HERE, [my ip]!"

I'm guessing that:
* I need to do something to the something bolded.
* I need to get a proxy for something I dunno
* I need to change my session

Am I on the right track?

Edited by on 13-10-07 14:51
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-10-07 20:17
In all my programming life, I haven't seen a "site" coded in such a bad way. There is no define structure for modules. Sometimes its with the parameter page, sometimes its with different GET. And the exploit involve that the site is as crappy as it look. I had to read what they said for an exploit, because I couldn't believe that this "site" could be coded in such a bad that what I put would make it crash.

Sorry, but the exploit are either a copy of the basic challenge or absolutly not common exploit that this is the only "site" on the world that it would work.


Author

RE: Pen 1

Flaming_figures
Member

Your avatar

Posts: 209
Location: ΦΠΥΔΓΙΦ
Joined: 28.06.06
Rank:
Apprentice
Posted on 13-10-07 21:14
@arto most of the challenges are like that... They wont work in normal circumstances and things, but I think what this challenge is meant for is to get you LOOKING for them. To teach you how to look for flaws in websites and recognize what is a flaw in things like the url and errors. That being said, I still can't get passed 40 points Pfft


Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-10-07 22:57
exactly right, its a simulation ie its not really but it gives ppl ideas on how to do things and possible ideas on wat to look for.
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-10-07 02:51
Well there is a middle between reality and trully fake.

Having an XSS exploit because of unsuffisiant filter on some data would be realistic (having filter that only remove "<" and ">"). XSS are still possible but in a more tricky way.

Saying that the exploit with the "include" (the one that let you execute any code on the server) still work is trully fake, the default setting of Apache/PHP won't let you do that.




Edited by on 16-10-07 02:51
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-10-07 00:38
I did the most basic exploit on the site... And I found a sekrit directory but don't know what do do with it Sad Just like moshbat Pfft could I please PM someone for help?
Author

RE: Pen 1

flame_1221
Member



Posts: 179
Location: malaysia
Joined: 13.05.07
Rank:
God
Posted on 17-10-07 03:30
You can PM me if you want.
127.0.0.1
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-10-07 06:50
can't wait for another one of these to come out Grin


Author

RE: Pen 1

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 17-10-07 06:57
Skunkfoot wrote:
can't wait for another one of these to come out


Same here B)


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .
Nope http://uber0n.webs.com/
Author

RE: You would be suprised


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-10-07 16:19
some of the most basic bullshit noobish bullshit can work on sites its rather surpriseing hell i got into a works admin site with just \' or 1=1--/* lazy programing isnt as rare as you think
Author

RE: Pen 1

synstealth
PHP WARRIOR

Your avatar

Posts: 807
Location: /etc/shadow
Joined: 30.11.04
Rank:
God
Posted on 19-10-07 20:38
same as everyone else on here.. cant get past 40 pts. lol




know where to Look
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-10-07 20:46
hm, I got a fair bit into this, and have a few ideas about how to continue, but perhaps if I could consult someone who's got it? I'm not sure if the point where I'm at is just a guessing game or a place where techniques can be applied. don't spoil it for me, at any rate.
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-10-07 20:52
Can't get past 40 points? You're not looking at everything, then. Smile



Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-10-07 20:59
noober wrote:
some of the most basic bullshit noobish bullshit can work on sites its rather surpriseing hell i got into a works admin site with just \' or 1=1--/* lazy programing isnt as rare as you think


Lazy Programming == Beginner and it's not beginner that code major site. People that study in programming learn enough in security to don't make these mistake. The most common exploit (that can be found) are thing that are really known or learnt, it was the case of the XSS. XSS is also very common because most people under-estimate what you can do with this exploit.


Author

RE: still...


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-10-07 04:09
if ya look around at various hacking crap and take a look on you tube ull see someone hacking into a college website using ' or 1=1 after altering the the source code...that gave up someones social security number and lead to basicly getting everyones social security number..id call that pretty major...lazy programing...like i said not that uncommon even when it somewhere that need to be protected
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-10-07 04:44
lesserlightsofheaven wrote:
hm, I got a fair bit into this, and have a few ideas about how to continue, but perhaps if I could consult someone who's got it? I'm not sure if the point where I'm at is just a guessing game or a place where techniques can be applied. don't spoil it for me, at any rate.


You can PM me Wink
Author

RE: Pen 1

flame_1221
Member



Posts: 179
Location: malaysia
Joined: 13.05.07
Rank:
God
Posted on 20-10-07 07:15
or meSmile
127.0.0.1
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-10-07 07:31
Hey my rank is reversed lol I didn't know that it worked...
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-10-07 22:45
Hmm, I've only accumulated 40pts so far in this challenge, so I guess that means I'm in the average.

However, I would like to continue this one. So please, could somebody violently push me into the right direction?

My status:

-Found a simple exploit
-Found a secret directory
-Logged in as admin - another exploit
-Found some php code
-Was able to run that code, but didn't get anything from it except that I know there is an admin panel that is still being coded somewhere.

[VIOLENT PUSH NEEDED HERE]

By the way, what is the point of giving us that userPfftass at the beginning of the challenge? I haven't found a use for it at all.




Edited by on 20-10-07 22:47
Author

RE: Pen 1


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-10-07 22:51
Placebo wrote:
By the way, what is the point of giving us that user:pass at the beginning of the challenge? I haven't found a use for it at all.


Yeah, I know... I just repeat the admin "exploit" every time I come back to it. lol

I've only found one more exploit than you, so I am still working on it, too. As for the one you haven't found that I have, though, I can honestly say that you're not looking everywhere for basic exploits. That's all I can say, really, since anything more would be a spoiler.



Page 2 of 5 < 1 2 3 4 5 >