Please ask questions ONLY in this topic.

[limdis]

Well I just downloaded the crappysoft demo exe but it didnt work and i'm worried that it had some kind of virus.
Can somebodey assure me that it is safe?

The file is fine. Assume this is a real challenge. It's a demo, so if it's not working... well. Dead end. Perhaps you don't need it. *hint*

[impulse_x]

Hi,

I have a problem with this mission, based on a theoretical issue of sending a pm to the boss.

In order to perfect a c.s., I'd need to trial-and-error it via sending multiple PMs to the boss. I would
think that after the 2nd attempt of perfecting a c.s., the boss would've clued in that I was doing
something not-so-kosher and alert security. Isn't this a little less 'realistic' to allow the
attemptee to do a trial-and-error on the boss' pm?

Anyway, I've looked at a few XSS pages and I understand the 'concept'. It's the actual application
that I'm stumped on. It needs to use javascript + window.<something>. I haven't yet
figured out what the javascript lines look like, so I'm hoping to try an alternative pathway
of taking on this mission.

In an earlier message, someone mentioned of downloading the user database and then doing
what I assume to a brute-force attack on the admin's pw. is this an alternative?

Ix

[-Ninjex-]

Hi,

I have a problem with this mission, based on a theoretical issue of sending a pm to the boss.

In order to perfect a c.s., I'd need to trial-and-error it via sending multiple PMs to the boss. I would
think that after the 2nd attempt of perfecting a c.s., the boss would've clued in that I was doing
something not-so-kosher and alert security. Isn't this a little less 'realistic' to allow the
attemptee to do a trial-and-error on the boss' pm?

In an earlier message, someone mentioned of downloading the user database and then doing
what I assume to a brute-force attack on the admin's pw. is this an alternative?

First off, realistically speaking, you would first probably take what source code you can, and try to make a controlled environment of the site at first. Next, you would want to set up two test account, and insure proper syntax + the ability to cover your ass afterwards/in the process of. You would next try the syntax from one to the other, until perfected. If you can't manage to re-create the way the site works due to some missing files such as php, etc, then you would test it on the site itself with your two test accounts, while being anonymous.

As for the mission, I'm sure hackthissite, (even though they can) didn't want to block a user from trying to complete the challenge, after they fuxed up their code more than one time. You can't really compare hackthissite to other sites around the world. Hackthissite helps delve users into critical thinking, as well as demonstrates and teaches users how exploits work, through the process of real-time exploitation.

Now, I'm not sure what the other person is talking about, but the scenario went like so for me:
Send the "c.s.", and then for simplicity, hackthissite will provide you with the username/password, and the password will be encrypted. You have to find the value of that hash, and continue about the challenge.

Don't take your focus off of the c.s, you will need this to win. (At least from what I know)

[impulse_x]

First off, realistically speaking, you would first probably take what source code you can, and try to make a controlled environment of the site at first. Next, you would want to set up two test account, and insure proper syntax + the ability to cover your ass afterwards/in the process of. You would next try the syntax from one to the other, until perfected. If you can't manage to re-create the way the site works due to some missing files such as php, etc, then you would test it on the site itself with your two test accounts, while being anonymous.

Ah, thanks for the info.

Send the "c.s.", and then for simplicity, hackthissite will provide you with the username/password, and the password will be encrypted. You have to find the value of that hash, and continue about the challenge.

Don't take your focus off of the c.s, you will need this to win. (At least from what I know)

Right. Thanks. I'm still stuck on the javascript c.s. thingy. I know I need to redirect the cookie somewhere..
As I understand it, I don't save it to a file, and I'm not sure if it's even allowed to pm it back to me (I don't think\
javascript does that).

Guess I'll trail-and-error this..

Edit: You've really GOT to be kidding me. It was really that simple???

Thanks

Ix

[astrix37]

I'm confused. I completed the mission with some difficulty, but completed it. I didn't understand how what I did cleared the logs. All I did was change a value. From what I can tell it should have put the input into the value, not clear the contents. Explain?