hackxor hints&tips
Reverse. Understand. Exploit
Lame hints are in the source of this page. I'm sure you won't need them.
Contents:
-
The attack log you're provided with has several useful pieces of information in it.
-
Try looking up information on HTTP request headers, particularly the Referer header.
-
All you need to do is find out who the hacker was, and get their IP.
-
Finding their username is easy and it might be useful.
-
This level will be bloody difficult without some kind of intercepting proxy
-
User-made addons often have terrible security issues
-
All the inputs are filtered equally.
-
There are only 4 inputs into SQL statements.
-
Some characters naturally can't be used, some characters are filtered, and some keywords are blacklisted.
-
The table and column names are extremely predictable
-
The demo version of this level is much harder
-
You'll probably need to send a few messages with wraithmail.
-
One email address is public, and the other can be guessed from a username. You can use an info leak to check whether email addresses exist
-
Victims won't click links but you can put javascript in messages...
-
If your attack is timing/order-based, remember TOR is slow and unreliable.
-
Sometimes cookie stealing just doesn't cut it.
-
Where could the admin panel be?
-
The developer understood a little security and only trusts .txt, but was otherwise a terrible coder.
-
Try to understand the CSRF defence this site uses.
-
Sometimes you have to do something extremely illogical to succeed.
-
This level is not impossible, I promise.
No hints for this level, it's pretty easy anyway.