I never mean to spoil, so if this is cutting it close, by all means, edit/remove it.
Based on the objective, it should be apparent to you at this stage that there is going to be a back-end database that is allowing you to retrieve information, as well as hold account information, balance, etc. So, as all we've seen so far is SQL, its not a bad guess to start there, as in injection.
Think logically. Identify attack vectors/vulnerable functions. Privilege escalation is never going to hurt you. Don't say no to a handout. Think about what commands would need to be issued in order to achieve each objective, and where you can take advantage of the queries in forms/urls to inject something useful.
You're going to need information for starters. For those of you who are just getting your feet wet with SQL, try to visualize the table in your mind. The table name, the column names, rows, different entries, etc. In order to retrieve an item, you must ask for it with specific parameters. In other words, you must input arguments that collectively will be TRUE for the information you're looking for. Riddle me this, how can you make sure the query will be TRUE for ALL the entries? Great way to harvest valuable info, and I've used it successfully for the third time now on these missions. It's nice and compact too, making it more versatile (think character limitations). Worked for me as a password, once upon a time. Just trying to make you think. Good luck.
---------------------------------------------------------------------------------------------
Oh, and as far as namedropping tools (poster before me lol), Firefox addons are plentiful. Most wont help you in this regard, but I will say that I do have Firebug as well and have YET TO USE IT on ANY of the missions Ive completed, thanks to a handful of little tools from Mozilla's add-on department that have been very handy in this enterprise
