Please ask questions ONLY in this topic.

[Phantom Wolf]

You really shouldn't quote any spoilers, it makes it harder for a mod to remove them

[insomaniacal]

You really shouldn't quote any spoilers, it makes it harder for a mod to remove them

Sudo +1 && <3.

[trandoanhung1991]

Woo. I'm done.

Here are some pointers:

Make your script VERY simple. Pretend you have a cookie stealer and just put in the XSS code. It shouldn't be more than 4-5 lines.

Clearing the logs is super easy. Think back to basic 1. And explore the site a bit. Then think about how the email subscription works.

[Sawny1337]

Learn some JS and variables
Mainly the document.'something' ones.

Or the window.'something' ones

Thanks, that is what the script is looking for..
Now i have done this mission


Devloper note: preg_match("/...window.../"); should be preg_match("/...(window|document).../"); I think...

[gernot]

I found this one frustrating, as well.

For a start, the hints about XSS are misleading. Yes, it's XSS, but not in the strict sense. 'Javascript injection' would be more accurate. No PHP required.

Also, I agree with others on this thread that some kind of feedback when experimenting with the javascript injection would be nice.

Also, also, I agree that having to use window instead of document at one place, blows.

Finally, not sure if this has been mentioned before, or if it's a spoiler, but think about when/where the site writes anything to disk that you can then check. How could you exploit that? And I think it's fair to assume that register_globals is 'on' on this site

Oh, and it's fair to assume that the boss clicks on all the links you send him...

[Bitware]

I've done everything I should do in changing username, password and intID, however it continues to say that I'm not an administrator.
What do?

[Rorroh]

OMFG.

I got to the end of page 8. I know my JavaScript, I know my XSS. I figured out the answer at page 6 thanks to haha01haha01,

you need to use window instead of document.

but I still couldn't get it to work. Then I went to a tab I still left open (Do some Google searches for Freakwolfe; he was mentioned in another thread.) and tried something that seemed to jump out to say "THIS WILL WORK." Copy, paste, nothing. Edit a single thing,

It's beyond the scope of this mission to check the XSS. So, assume you got this cookie:[cookie data]

That brings me to the next bit: The code seems to need to be EXACT, but the URL is arbitrary; you're given the cookie on the "Private Message" page.

The biggest thing that hinders, though, is the code itself. Do a little research on JavaScript "windows." That's all I can say.

If you've gone through all of this thread's pages so far and still can't get it, good luck! It's an easy concept but extremely frustrating to figure out. I'd say more about it but I'm not entirely sure what constitutes a "spoiler" and I don't want to push it too far. If you need more, message me!

[conscience]

I'm not sure you haven't done so yet by giving pieces of info on where to look at, dude.

[Eimeidee]

Hugely helpful link, if it was posted in the forums i didn't see it.

http://www.hackthissite.org/articles/read/1006

[sdition]

I found there are sth in common in both realistic 8 and realistic 9. I just change the username using javascript injection in cookie to make money transfer to another account. But in realistic 9, I am using XSS to change username, pwd and intID to finish this mission.

So, what's the different form the two methods on both missions? Why I can just change name and ignore pwd in realistic 8 but have to change more fields in realistic 9?