Please ask questions ONLY in this topic.

[smittyy]

When I go to pay salary, -after changing email, pass- It still says you are not an administrator

[PinkFloyd22]

Ok i read through the whole forum 3 times I know what im suposed to do.
I need to use XSS and js to steal cookies I know that you shouldn't make a website that steals cookies(kinda obvious).What I figured out is that you should fool the site that you are stealing cookies and than you will get the info you need.I read quite a few articles on XSS and js.I also know you should use window command so I read on this too,but I still can't get it.
I'm doing something wrong and I cant figure out what any hint would be helpful.Im stuck on this for 4 days

edit: Done it I was typing the right XSS code but I had a typo xD.Clearing the logfiles was interesting .

[kakgaming]

Okay so i know what to do but i can't seem to keep my cookies changed so what is the problem? I change the cookies then click on the pay salaries it does not stay changed and i can't pay the salaries. If i have said anything that might be incriminating too much please edit but also pm so that i still know what i did wrong.

[PinkFloyd22]

Okay so i know what to do but i can't seem to keep my cookies changed so what is the problem? I change the cookies then click on the pay salaries it does not stay changed and i can't pay the salaries. If i have said anything that might be incriminating too much please edit but also pm so that i still know what i did wrong.

If you want to pay salaries you first have to use XSS and than js once you find out the information you need.Read up on XSS and a note use window command.

[hellow533]

sorry for spoilers :EDIT

[atzame]

I'm pretty sure I know what's needed on this level but I think I'm having trouble with the correct syntax to steal a treat from the boss. I've found something that I could use to save the treat to when the code gets it on the same server but either the big guy isn't looking at his messages or I can't figure out what the accepted syntax is; or I'm just being a noob and doing this challenge wrong. I'm brand new to js and have limited experience with html. I know I need to use XSS (it's funny that I've seen it referred to as a language in these forums but it looks more like a method) and have been trying a bunch of stuff that I've read about using js but none has worked on here so far. I know I don't need to get a separate account on another server so I was wondering if I could use a similar file on this server that I have access to read? Actually there are 2 files but when I try to submit something to the other file it doesn't work with the submit button anyway. I'm pretty sure if I could get something onto either of those files I could get rid of the evidence on either of them. Reading the posts from earlier it seems that most of the stuff doesn't work but if you go through the correct steps you get the information you need. Anyway if this is too vague let me know and I can either contact you via PM or see you in the IRC. Just wanting to know if I'm thinking along the right lines or not. Anyway I need to get to bed, eyes are starting to cross.

Reply to Defience: Sorry about the brightness, It didn't show up too bad on my screen but maybe my color is set lower than others. Anyway the question that I have is do I try to send the info to myself, the account I'm using for the hack or to somewhere where I can read it? Using one method I can send an email but with the other it will ask him to confirm even if I can send an email with it. I've tried many different ways using both server side script and client side script but neither have worked. I think I'm going about this the correct way and I just need to guess the right syntax. I'm still pretty new to all this even though I've used computers most of my life, I hadn't really gotten into the nuts and bolts of how much of it worked and I'm learning a ton both from this site and while going to school. Reading previous posts I know I need to open something to let a breeze in using client side script, but from what it looks like I will use that when I get the info, although I'm not completely sure about that. I'll keep plugging away at it but I might move on to some other missions and probably come back to it later; maybe I'll find out something in one of those, who knows.

P.S. Will it show a new post in the forum when one is edited or should I post a new reply? Some sites would rather you edit a reply to keep the number of new posts down and some don't care. Just wondering about this one.

[Defience]

I'm pretty sure I know what's needed on this level but I think I'm having trouble with the correct syntax to steal a treat from the boss. I've found something that I could use to save the treat to when the code gets it on the same server but either the big guy isn't looking at his messages or I can't figure out what the accepted syntax is; or I'm just being a noob and doing this challenge wrong. I'm brand new to js and have limited experience with html. I know I need to use XSS (it's funny that I've seen it referred to as a language in these forums but it looks more like a method) and have been trying a bunch of stuff that I've read about using js but none has worked on here so far. I know I don't need to get a separate account on another server so I was wondering if I could use a similar file on this server that I have access to read? Actually there are 2 files but when I try to submit something to the other file it doesn't work with the submit button anyway. I'm pretty sure if I could get something onto either of those files I could get rid of the evidence on either of them. Reading the posts from earlier it seems that most of the stuff doesn't work but if you go through the correct steps you get the information you need. Anyway if this is too vague let me know and I can either contact you via PM or see you in the IRC. Just wanting to know if I'm thinking along the right lines or not. Anyway I need to get to bed, eyes are starting to cross.

Your eyes are probably crossing because of the brightness of your post! Anyway, for this one you only need to simulate that thing, the info won't actually get sent to you. If it's formatted properly, it will tell you to assume that it worked correctly and will give you the information you need to continue.

[atzame]

Just putting a new post to draw attention to the reply in my previous post.

[Defience]

You might be over-thinking this one....you're given a username and password and the goal is to then gain higher privileges so you can make sure the guy gets paid. There's an area that is exploitable.....once that is 'simulated', it's on to the next part. I'm trying not to give too much away but if you need to you can pm me with your exploit and I'll look it over.

[tremor77]

I totally did this mission in a completely different way... I Google Hacked the Site: - Found an interesting file within the directory structure... used info from this file to place in firefox cookie editor to spoof being logged in as admin, paid the salary... then tamper data to clear the logs.. BANG - mission completed in about 3 minutes.

I know the objective was to teach some XSS, hope this isn't too spoilerish and total workaround of the objective for the mission... just wanted to let HTS staff know there is a google viewable file in the directory that pretty much gives the mission away to someone who is observant.