Challenge Help

This tutorial is to help anyone who is struggling with any of the site challenges. Rather than provide a walkthrough though this aims to give you a few more hints in the right direction.

Basic Challenge 1

This simply requires seeing the site's source. Look for clear English rather than html code.

Basic Challenge 2

View the source again. This time you are looking for a script. Once you find it, try to find the username and password. Even if you are not familiar with JavaScript it should still be easy to find.

Basic Challenge 3

This will require some research. See if the contents of the text file may give you a clue to what you need to research. wikipedia has a helpful article, and so does the articles section of this site :)

Basic Challenge 4

This one requires knowledge of how browser cookies work. The best way to display cookies is in a JavaScript alert box or console log. How this is done is left up to you. Then once this is done you will see a cookie that clearly needs changing. Go for the obvious answer and use JavaScript again to change this.

Researching some basic JavaScript syntax would definitely benefit you.

Basic Challenge 5

This one is actually fairly easy, don't overthink it. the source may reveal something about this email form. the problem is changing this information. Saving a copy of the webpage wont work alone.

Basic Challenge 6

Search engine crawlers (spiders) have to read the contents of a certain file first because site owners don't want some of their pages included in search results. the file displays disallowed pages in cleartext in a file and if you view the text file, you may be able to visit them.

For a little more help click here

Basic Challenge 7

Another you either know or don't. search for the hint listed on the page, maybe you'll find a few useful things. try them on this site and see what happens.

Then you find an encrypted password. this password is the same encryption unix will use as well as htpasswd logins so it would definitely help if you learn how to crack it. there are some great crackers out there. look for John :)

Basic Challenge 8

Some applications can just be cracked by opening them in a text editor but not this. instead you should try to patch it using ollydbg. This is a common method of cracking applications and there are some tutorials here on how to use it.

Opening it up in ollydbg just shows a lot of hard to understand text, but to start off click search for --> all referenced text strings. this will make things easier. double clicking them shows you where they are in the program. you are also interested in the "fill with NOP" command.

Basic Challenge 9

The simple substitution cipher. This encryption just swaps letters for other letters in the alphabet with nothing else involved. This basically comes down to guess work with also some general knowledge such as the letter 'e' being the most common letter in the English language. try swapping the most common letter in the text with 'e' and go from there.

Also look for small words that might be common words such as 'the' or 'is' for example.

Basic Challenge 10

First find the direct location, then download it. This may not be as easy as expected. Decompilers are your friend.

Realistic Challenge 1

The pages again contain something hidden. Once you find what you're looking for, knowledge of JavaScript injections will be needed to beat this. As a little security, the site makes sure that you pay at least something. Although this seems simple certain payment gateways are known to work in a similar way.

Realistic Challenge 2

This is fairly hard. The first step involves exploiting a certain form using SQL. Then after that, the challenge gets a little easier. There's an obvious method that should be tried then you will need to decrypt something then the last part of the challenge will be easy.

Realistic Challenge 3

This is slightly easier than the previous realistic challenge. A lot of the pages are just decoys and need to be ignored. But one contains an extra (hidden) element that can be exploited. Once you've figured out how to do this, half of the challenge is already done. Next, just think what could be added to change the functionality in some way.

Realistic Challenge 4

Again, fairly hard. Look for an input that can be changed and see what happens. Then next you will need to look for the (Highlight for spoiler: Include Path) Once that has been found it should be easy to manipulate the script and use it to explore parts of the site you perhaps shouldn't be allowed to.

Programming Challenge 1

Limited help available here. Look for a promogramming language that has utilities to crawl and fetch / scrape page content.

Bonus Challenge 1

This again requires viewing the sites source. How you do that is up to you. There are a few different ways to do this without the page even loading.

Bonus Challenge 2

The form gives this away. Even though something may appear encrypted in a strange unrecognisable text, using a search enging may help you find out more.

Then the next step once this is decrypted is changing it. If you have already done the email challenge, you should have no problem.

Bonus Challenge 3

This can be done by tweaking settings in modern browsers ("about:config") or even possibly through a browser extension.

Bonus Challenge 4

The page contains something hidden. Compare the page to another challenge page. even if it looks like part of the site, check it out it may be useful.

Bonus Challenge 5

The image - rather than having something hidden in the image has a whole file hidden inside of it once you find out that file, the challenge is done :)

Bonus Challenge 6

This is a tricky encryption. It would help you to start off by downloading the script, then learn about the JavaScript commands involved. Adding a few alerts or console logs here and there might also help you to understand how the code works.

Bonus Challenge 7

Nothing complicated about this, just plain old brute forcing, all you have to do is find decent programs to do the job. The passwords are short, so shouldn't take too long to crack.

Bonus Challenge 8

This is common sense. However, it doesn't involve guessing the password, you will find the password if you think about this challenge. Look for any differences between this challenge page and others.

Bonus Challenge 9

Don't overthink this. Follow each of the bullet points top to bottom and it should be fairly straight forward.

Application Challenge 1

Get a basic hex editor and look at the app's code. It should be fairly easy to find what (or where) the app is looking for.

Application Challenge 2

Again a hex editor is useful. There are a few ways to do this, the simplest being keyboard shortcuts. Edit one of the buttons to include a shortcut and it is already complete.

Application Challenge 3

This can be done with a text editor. Just view the app and try and find what is being checked. Try copying and re-running and this challenge is solved.

User Challenge 1

A little knowledge of JavaScript functions is again useful. The password is not a usual password. you may need to know a hex colors.

User Challenge 1

This is basic stegano, read the stegano tutorial and the challenge should become easier to understand. It will probably be a lot simpler than first thought.

For further help please use the forum.



good luck!


Hey, can you help me with Bonus 4? I can\'t figure out how to do it...


sure, i was planning on updating this tomorrow but im not sure with IE but with firefox, type about:config and look through until you see something that could be changed. ill explain more tomorrow hopefully


Thanks, I got it.


Isn\'t there any help for new school challenge?


sorry, i havent added it yet, there will be a new irc channel tonight that will help you though


wow! thanks for updates..


whr is info about realistic 5?????


Please.. can u help me for my next challenge?


Is there any help for sql2?


i finished challenge 3 but i cant seem to do it on a site that is most likely vulnerable. do i need to be running my very own site in order to exploit the target site? pm me plz


is challange 3 down or is the test this "under construction" sth?!


is challange 3 down or is the test this "under construction" sth?!


I can't find the right bit of source code in basic challenge 1


I can't find the right bit of source code in basic challenge 1


You will known , it can working or not when you complete lv 3


You will known , it can working or not when you complete lv 3


c99.txt is php code translated to ascii code (heximal)

my anti virus has alert when i run that script (translated)

I known it can working or not when u complete lv 3


What about bonus challenge 11?




Hey something wrong with challange 3 i think somebody has debbug it


a very useful description .!


can u help me to complete my first challenge