Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Last exploit


ghost's Avatar
0 0

I have completed everything besides the do* part. I tried the obvious of including a certain default page, but a message is displayed that this condition was fixed. Where should we look in order to create a do* condition and complete the challenge?


ghost's Avatar
0 0

Never mind LOL. Which exploits have you done?


ghost's Avatar
0 0

(sorta spoiler warning)

I am done with:

  1. Hidden dir
  2. Sql injection
  3. session stuff (pretty tough, the answer is easily found on google though)
  4. XSS injection

Last part is the dos (at least that is what someone said in another thread.)

Does the admin panel somehow come into play? I know where the "real" code should be and where the placeholder is that says "admin panel not finished". I don't think this should have anything to do with the dos.

Thanks!


ghost's Avatar
0 0

I don't know why I posted here actually, I haven't so much as looked at a challenge in probably months. Sorry m8 I thought I'd waste your time though, but did you get admin? That's the only one that's coming to mind though it looks like you may have already gotten it fuck idk. :|


ghost's Avatar
0 0

Yeah, admin was pretty tough without doing research (google will solve this very easily if you search for the right thing). But the answer is really simple. Most people are probably trying the right thing, they just don't have the proper syntax.

But I am stuck at the dos part :D

I am sure the answer is just as simple as the admin, but I am just overlooking something.


ghost's Avatar
0 0

Nevermind, thanks to stdio I was given a push in the right direction. The answer was again really easy once you realize what to do XD.


ghost's Avatar
0 0

zeus_the_moose wrote: (sorta spoiler warning)

I am done with:

  1. Hidden dir
  2. Sql injection
  3. session stuff (pretty tough, the answer is easily found on google though)
  4. XSS injection

Last part is the dos (at least that is what someone said in another thread.)

Does the admin panel somehow come into play? I know where the "real" code should be and where the placeholder is that says "admin panel not finished". I don't think this should have anything to do with the dos.

Thanks!

I don't know what hidden dir could have to do with. There was a hidden dir involved in the session part and I got that already. The part with the file include, is that what people mean with the "dos" or do we actually have to find another way to do the dos'ing? I think that's what I have left, I've done

file include sql injection xss session poisoning

EDIT


I figured it out. If you are stuck, read Skunkfoot's post on page 4 of the "Pen 1" thread. Afterwards, you should search the subject matter with what he says to do and that should help you with it.


crashbird's Avatar
-=CodeGuru=-
0 0

Hey can anyone guide me on how i should get to poison the sessions.. or what fm* should i put the value of $_S****[in]=t.

Also if someone could guide me to a link on learning more on this.. Tried a lot of places , but couldn't get enough information…

Thanks, presently i have 90 points,

i've done, Secret dir sql and xss


ghost's Avatar
0 0

Sometimes sessions are set by cookies, and you can already see one of them.