Page 14 of 16

Re: Please ask questions ONLY in this topic.

PostPosted: Mon Apr 02, 2012 11:51 pm
by sharpiee
I know this isn't really a question but it is helpful! Chrome has a built in feature to change useragents. If you hit F12 and go to the console tab there is an options button in the very bottom right corner of the window. When you click on it it opens a menu and one of the options is override useragent. It provides a simple change of useragent without any browser extions! :P Hope this helps! Best regards and good luck!

Re: Please ask questions ONLY in this topic.

PostPosted: Wed May 09, 2012 8:47 am
by imthebest69
I have to say, this is probably the worst challenge so far.
Some steps are just senseless, you will know what I mean after you've completed the mission.
I don't know if it ever even was intended for these challenges to progress in any order of skill or method, but this one is just weird. I might be wrong but I don't see how this challenge is any bit realistic (not that the others are super realistic either, but at least the methods are somewhat), I can't see anyone writing their website like this; what I mean is that they have good security somewhere but then the most essential access point is not very secure.
My post seemed to become a little review, hehe.
But still, I didn't want to bother downloading any addons for anything just for this mission so I'm going to leave this one out.

Re: Please ask questions ONLY in this topic.

PostPosted: Mon Jun 25, 2012 5:00 am
by thaeraser
For a weird reason, my browser changes me user-agent everytime.
I changed it to holy_teacher, and every time he changed it back to something like User-Agent=holy_teacher/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0

Anyone knows why?
Using TamperData everytime you click a link is not eazy to work with.

Re: Please ask questions ONLY in this topic.

PostPosted: Sun Aug 12, 2012 1:01 am
by Sl1ck_x
From about Basic mission 8, I've been coming to these forums just to browse through the questions and see if any of problems here relate to the part that I'm stuck. And every single time, I have been able to complete them all by just reading the forums. If anyone else comes by this post just please re-read/skim this thread before you post a question. Because this side of the forum is relatively inactive most of the time, and no one will be here to answer your question.

But to save you the time and trouble of having to go back to page 1, I'm going to help summarize the steps involved.

1. Browse the entire website and don't be afraid to check out their sources as well. (If you're really ambitious, test for vulnerabilities along the way. I.e. URL's, code/sql injections, apache exploits, ect.)

2. Find the faculties login page and use a teacher's username and password. *Hint* Go to your bathroom ... Now what do you see?

3. Once you're in, it's self explanatory but User-agent knowledge is needed. FF has a great add-on for this. Make sure you don't just change the description though!

4. Once you're IN in, grab a cookie but don't eat it! "Not 1" bite! *Hint* Those quotes aren't misplaced.

6. I skipped a step because the previous one is self explanatory. Now revert back to step 1 for the changing of grades.

I tried to tipetoe on the line of what's spoilerish and what's not. Please feel free to edit, if this post displeases you.

Re: Please ask questions ONLY in this topic.

PostPosted: Thu Oct 11, 2012 5:21 pm
by andervish
OK, nice challenge) Though there is a bit of bug there. Page where grades are changed does not accept variables via POST method, though it should do so as method="post" is written in the source code (checked that by sending HTTP requests manually using Live_HTTP_Headers add-on for firefox). Well, may be it's just a joke as that page is not useful anyway due to "grades can be changed only form original page" restriction))

Re: Please ask questions ONLY in this topic.

PostPosted: Wed Mar 13, 2013 2:20 pm
by f1r3fly_s3r3n1ty
RiNSpy wrote:Ok, managed to log in as s****. But how were we supposed to figure out to try her? Or should we have just tried every teacher out there? Makes no sense.

Theist17 wrote:Hey guys, I'm having real trouble with the staff login. I have a username, but I haven't a single idea about the password.

KouluAccount wrote:Managed finally get through. Some hints for above posters (hopefully not too spoilish)
Many have said s****** already. Why?

I just wanted to point out that there are multiple logins that work, not just s******. Some people might find this helpful, if not down-right bad ass:
Code: Select all
hydra -L staffList.txt -P /usr/share/dict/cracklib-small -e nsr http-post-form "/missions/realistic/10/staff.php:username=^USER^&password=^PASS^" -V

Some notes about above command:
-e nsr; trys null (n), same (s), and reverse (r) of the username for the password (try the easy stuff first ;) )
S=Welcome; Successful (S) login message, searches reply for "Welcome" string to determine a successful password. Alternatively, you can omit the S= flag to check for a fail message.
H=Cookie:PHPSESSID=YOURPHPSESSID; hydra can set any header (H) values to whatever you want. In this case we need the PHPSESSID cookie set in order to authorize a login attempt (security mechanism utilized by HTS, not the mission site).; (security mechanism utilized by the mission site)
I was able to find out which headers were needed by reviewing server responses via an ethereal (wireshark) dump.

and one last thing:
INTERCEPTING PROXY > browser add-ons in every single way. I'm shocked at how many people rely on firebug as their main attack tool...

Re: Please ask questions ONLY in this topic.

PostPosted: Sun May 26, 2013 5:14 am
by justwilliambrown
I'm stuck. I've gotten all the way to getting to where you can change the grades. And then found out that I can't finish. I've taken a look at the source and added the relevant bit to the URL and... nothing. I'm really stuck, could anyone give me a hand?

P.S. Sorry if this is vague, but I'm trying not to give away spoilers.

Re: Please ask questions ONLY in this topic.

PostPosted: Wed Nov 20, 2013 9:51 am
by cor3dump
Not sure if anyone is watching this thread anymore..but I will still describe my problem :|. I am unable to login as the desired teacher. I did read this whole thread and know the teacher and the expected password. But I always get Invalid username/password. I tried lowercase, uppercase, full name, pasting it, typing it by hand..none worked. I'm very positive I'm not mistaken about what the password should be, since it can supposedly be inferred from the other part of the credential..

Re: Please ask questions ONLY in this topic.

PostPosted: Sat Jul 26, 2014 5:49 pm
by arcm111
@cor3dump if you've already logged in using zack's credentials you'd have to delete the username,password and admin cookies and then try again to login using the teacher's credentials, it should work.

Re: Please ask questions ONLY in this topic.

PostPosted: Sun Jul 27, 2014 7:29 am
by cyberdrain
That is, if you have the right password. Otherwise, you'll be deleting cookies forever without progress.