Please ask questions ONLY in this topic.

Re: Please ask questions ONLY in this topic.

Post by dm79 on Wed Jul 25, 2012 4:01 pm
([msg=68308]see Re: Please ask questions ONLY in this topic.[/msg])

Enjoyed myself completing this mission. Found it to be more of a challenge and took me some time to do so (4 hours or so).
In reading some posts on what techniques or applications to use I can say that I only used IE and it's developers tool (F12). From there I created a script that completes 2 of the steps in the mission automatically when run from the console in that tool. I know that geek fundamentalist don't like my choice for these tools but just want to give a pointer for those who make it to complicated in thinking it requires specific tools.
PS. Find it amusing that money can buy anything as it even holds true at HTS as the rich do not need to comply to the standard 10 char limit that is required for the commoner.

Confusion of goals and perfection of means seems, in my opinion, to characterize our age.
Albert Einstein
dm79
New User
New User
 
Posts: 6
Joined: Fri Apr 18, 2008 3:34 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by Sl1ck_x on Fri Aug 10, 2012 1:17 pm
([msg=68691]see Re: Please ask questions ONLY in this topic.[/msg])

From what I can tell, there is two different ways to solve this mission. You can what dm79 did and use javascript injections to solve this. Or you can take an easier way so you don't have to worry about syntax errors. I did this mission using firebug in FF for both the transfer of money and clearing of files. The only time I used an sql injection was for getting the usernames, after that it was all firebug.

Just a hint for anyone else who comes along trying to finish this mission...
Sl1ck_x
New User
New User
 
Posts: 11
Joined: Sat Aug 04, 2012 12:55 pm
Blog: View Blog (0)


Nudge in the Right Direction

Post by justforfunn on Sat Aug 25, 2012 9:03 pm
([msg=69028]see Nudge in the Right Direction[/msg])

I never mean to spoil, so if this is cutting it close, by all means, edit/remove it.

Based on the objective, it should be apparent to you at this stage that there is going to be a back-end database that is allowing you to retrieve information, as well as hold account information, balance, etc. So, as all we've seen so far is SQL, its not a bad guess to start there, as in injection.

Think logically. Identify attack vectors/vulnerable functions. Privilege escalation is never going to hurt you. Don't say no to a handout. Think about what commands would need to be issued in order to achieve each objective, and where you can take advantage of the queries in forms/urls to inject something useful.

You're going to need information for starters. For those of you who are just getting your feet wet with SQL, try to visualize the table in your mind. The table name, the column names, rows, different entries, etc. In order to retrieve an item, you must ask for it with specific parameters. In other words, you must input arguments that collectively will be TRUE for the information you're looking for. Riddle me this, how can you make sure the query will be TRUE for ALL the entries? Great way to harvest valuable info, and I've used it successfully for the third time now on these missions. It's nice and compact too, making it more versatile (think character limitations). Worked for me as a password, once upon a time. Just trying to make you think. Good luck.

---------------------------------------------------------------------------------------------

Oh, and as far as namedropping tools (poster before me lol), Firefox addons are plentiful. Most wont help you in this regard, but I will say that I do have Firebug as well and have YET TO USE IT on ANY of the missions Ive completed, thanks to a handful of little tools from Mozilla's add-on department that have been very handy in this enterprise ;)
User avatar
justforfunn
New User
New User
 
Posts: 4
Joined: Fri Aug 24, 2012 4:49 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by justwilliambrown on Fri Oct 05, 2012 12:41 am
([msg=69952]see Re: Please ask questions ONLY in this topic.[/msg])

Can someone please help. No idea what i am doing wrong. How do i locate the list of users. I used firebug to view the source code quickly, but couldn't find it in the search users place. Please help.
justwilliambrown
New User
New User
 
Posts: 5
Joined: Fri Oct 05, 2012 12:26 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by krisby174 on Tue Oct 09, 2012 11:49 am
([msg=70055]see Re: Please ask questions ONLY in this topic.[/msg])

Code: Select all
You have the right idea, but you need to transfer the money to dropCash


any idea :?:
krisby174
New User
New User
 
Posts: 13
Joined: Wed May 16, 2012 8:11 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by EcceGratum on Mon Dec 03, 2012 9:10 am
([msg=71499]see Re: Please ask questions ONLY in this topic.[/msg])

Please help me in clearing the traces.
I have tried modifying the value of the **r parameter for the clear button in every possible way. *oo***s not involved in this, as far as i can see. What else could I look at?
thanks
EcceGratum
New User
New User
 
Posts: 20
Joined: Wed Nov 07, 2012 4:29 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by cjbrowne on Tue Dec 11, 2012 12:54 am
([msg=71632]see Re: Please ask questions ONLY in this topic.[/msg])

Just attempting this one now, and I've got a good idea of what I'll need to do but I'm encountering an Error 500 whenever I try to do something with the database (i.e. search a username) through the web forms - is this normal or is something broken that will prevent me from completing the challenge?
cjbrowne
New User
New User
 
Posts: 2
Joined: Tue Dec 11, 2012 12:52 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by limdis on Wed Dec 12, 2012 12:49 pm
([msg=71665]see Re: Please ask questions ONLY in this topic.[/msg])

*fixed* try again, sorry about the inconvenience
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1358
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by turtlekoala on Thu Feb 21, 2013 11:40 pm
([msg=73964]see Re: Please ask questions ONLY in this topic.[/msg])

Senegra wrote:Hi,

I'm new to HTS and i think it's great.

Just wanted to give a little hint to all inexperienced sql users. If you query a table and you don't use an order by clause, it will return your tupples by insert order. So if Mr Hunter was registered before we all started to mess around with the database, he will be amongst the first users that appear... hope i don't spoil it for anyone.

cheers


This isn't necessarily true. If there is no ORDER BY clause, then the order that the records are returned in is officially undefined. In practice, if there are no JOINs, then they will often be returned in the order that they are read from memory, but this behavior is not guaranteed.
turtlekoala
New User
New User
 
Posts: 4
Joined: Wed Feb 20, 2013 12:32 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by linkgoron on Sun Mar 10, 2013 2:18 pm
([msg=74448]see Re: Please ask questions ONLY in this topic.[/msg])

Is the mission working correctly?

I'm not sure what the spoiler policy is, so I'm sorry if I'm saying something that's not allowed.

Anyway, I've tried every SQL statement that I could think of, the best I got were 5 usernames that start with zeros.
Am I missing something?
linkgoron
New User
New User
 
Posts: 1
Joined: Sun Mar 10, 2013 2:14 pm
Blog: View Blog (0)


PreviousNext

Return to (Real 8) United Banks Of America

Who is online

Users browsing this forum: No registered users and 0 guests