ThisisLegal.com

ThisisLegal Forums

Welcome to the forums! A chance for site members to chat and get help.

You are not logged in.

#26 2008-07-16 07:32:14

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

Ok, as i said this is based on a real life hack. Notice the message:<br /><br />Your Link has been submitted. It will be added if appropriate.<br /><br />This means that the links are being viewed by the site admin. you need to find a way to bypass this using the form so the links are just added straight to the site. Then half of the challenge is done already.


Site admin

Offline

#27 2008-07-16 09:02:53

therock_wall
Member
Registered: 2008-03-16
Posts: 45

Re: R3

i saved the web page by editing the source and it echoed my link "XXX". and i saved it on desktop bt XXX.html. now what to do???????

Offline

#28 2008-07-16 10:49:51

therock_wall
Member
Registered: 2008-03-16
Posts: 45

Re: R3

i hav echoed a link in the saved page is that right???

by the way how do igive a link online?? by javascript injections ???? any hint for online injections???/

Offline

#29 2008-07-17 05:19:51

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

This wont work if you save everything. And yes, javascript injections are used to bypass the admin checking the link. You still need to find out how though. The form gives it away completely


Site admin

Offline

#30 2009-01-26 02:56:27

Degenerate
Member
Registered: 2009-01-26
Posts: 9

Re: R3

I have inserted anything I like on the page and I have a "Your close to completing this though." message, there are lots of things I could be doing with this exploit, how can I narrow down the possibilities?

Offline

#31 2009-01-26 07:07:17

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

If your getting the links on the page, youve basically done it. Just think what you could type if the links are just being echoed straight onto the page.


Site admin

Offline

#32 2009-01-28 01:16:47

Degenerate
Member
Registered: 2009-01-26
Posts: 9

Re: R3

Well, I passed it... but it was quite strange.  I just did what I had already done, got the same message saying that to prevent a real hack etc.

Was thinking about what to put, and then about 30 seconds after my entry got forwarded to the mission complete page...

Very strange...

Offline

#33 2009-01-28 05:23:59

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

Hmm, it should redirect straight away.. the completion page would explain it though. NiklosKoda if you still havent done this, PM me.


Site admin

Offline

#34 2009-02-27 14:18:48

Obsidian Age
Member
Registered: 2009-01-26
Posts: 4

Re: R3

I'm totally stumped. I can mange to insert any link I want rather easily, but what exactly do I need to do now? Linking to the students page seems to do nothing, no matter what prefixes and suffixes I use.


I'm not useless... I can be used as a bad example.

Offline

#35 2009-02-27 15:38:18

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

As mentioned above, its basically complete. Think what you do as a test to any kind of form that displays what you type into it onto a page e.g a guestbook or shoutbox, what simple thing would you try to do to hack it?

think simple...


Site admin

Offline

#36 2009-02-27 19:38:37

Obsidian Age
Member
Registered: 2009-01-26
Posts: 4

Re: R3

Thanks for the tip. Passed. smile


I'm not useless... I can be used as a bad example.

Offline

#37 2009-04-23 17:47:05

BuRNeD
Member
Registered: 2009-03-21
Posts: 117

Re: R3

i can't figure out what to do, i tried to go to apply a link i test some things with firebug
but no way out, is Directory Traversal have something to do ?

Offline

#38 2009-04-24 05:30:57

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

A lot od this challenge is just for show. Just look closely at the source of the page your on and ignore everything else for now


Site admin

Offline

#39 2009-04-24 05:57:45

BuRNeD
Member
Registered: 2009-03-21
Posts: 117

Re: R3

does (T1 & T2 etc.) has anything to do?

Offline

#40 2009-04-25 04:53:58

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

No. maybe something is hidden


Site admin

Offline

#41 2009-04-27 09:50:16

BuRNeD
Member
Registered: 2009-03-21
Posts: 117

Re: R3

i found this hidden thing from the begin but thanks to you i focused on it and done now what's next...

i was wondering that if the admin of this website click my link, i would make a decoy to get his cookies and i wouldn't need to go to the fake login because i already have the cookies, but thats just a challenge,right? admin not exist...

any further help please?

Offline

#42 2009-04-27 18:11:40

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

If youve done the first part, the next bit is easy. Read the rest of this forum topic and think simple.


Site admin

Offline

#43 2009-04-29 09:39:39

BuRNeD
Member
Registered: 2009-03-21
Posts: 117

Re: R3

thing is that i don't know good english because im an 13years old greek kid...so
please if you could explain the rest part
in other words to understand it better hrmm

Offline

#44 2009-04-29 15:45:11

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

[spoiler]its not doing any validation checks, its just adding the link onto the page[/spoiler]

so think what else you could try adding.


Site admin

Offline

#45 2009-07-05 12:15:03

fason
Member
Registered: 2009-07-05
Posts: 1

Re: R3

Is the link that you create supposed to contain something in particular? linking to students.php, grades.php, lessons.php does not see to have any effect.

Offline

#46 2009-07-06 04:53:47

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

Yes it should have something in particular. But maybe it shouldnt be an actual link...


Site admin

Offline

#47 2009-07-06 09:18:38

BuRNeD
Member
Registered: 2009-03-21
Posts: 117

Re: R3

maybe is a "tricky" link.

Offline

#48 2009-07-14 09:12:10

Illusion03
Member
Registered: 2009-02-20
Posts: 4

Re: R3

Hey Tommy i can add links at the right using form..but i am confused to what should i use as a link so that this mission gets completed..by the way i have read all the above talk..but still can;t get it..


withstupid

Offline

#49 2009-07-14 11:13:41

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: R3

Everyone, dont overthink this. The solution is really simple. You dont add an actual link, whatever you type in the form just gets echoed straight onto the page. Think about this.


Site admin

Offline

#50 2010-10-21 14:14:56

tripleedged
Member
Registered: 2010-10-21
Posts: 3

Re: R3

Now, that was nasty...
I tried many things to solve it. Today I tried again but did fail on every try. I was about to give up and just wanted to leave a mark... biggrin

Actually that was the plan... Hope I didnt spoil!

Offline

Board footer

Powered by FluxBB