Challenge

[Brandon]

As most of you know I am starting a website where you can try your html skills and hacking. Here is a small challenge I made.

An Age of Mythology clan is promoting trainers and cheats. Visit their website and attempt to gain access. Good Luck!

http://www.hackthis.h4xx0r.be/challenge1/

 

[Bryon]

Do you really love your dog?

Aww that's cute. </end gay sounding remark>

 

[Brandon]

Good Work NedreN and yes!

 

[Cynical]

:drama: Solved, I PM'd you the users and their passwords .

 

[ƒorte]

How do ya'll hack stuff like this? (sorry, I don't know anything about javascript ;P)

 

[Brandon]

A major hint is unescape

 

[Bryon]

It's not "hacking", pfft. Nothing even close? It's all using your brain. If you ever don't know something, ask Google.

 

[Brandon]

Hacking is when your doing something else Cougfh Coufgh (Dont even know how to spell) which im not telling this is more like browsing in the source code.

 

[ƒorte]

I found a reallllllllly long weird javascript in the source code...
what does that tell me?

 

[dharmil]

that long java script equals

<HEAD>

<SCRIPT LANGUAGE="JavaScript">

function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
if (username=="admin" && password=="iamt3hh4x0r") { window.location="completed.html"; done=1; }
if (username=="john" && password=="johnny12") { window.location="completed.html"; done=1; }
if (username=="james" && password=="ilovemydog") { window.location="completed.html"; done=1; }
if (done==0) { alert("Invalid login!"); }
}

</SCRIPT>

<BODY>

<center>
<form name=login>
<table width=225 border=1 cellpadding=3>
<tr>Members Only Area!
<tr> Username:
<tr> Password:
<tr>
</table>
</form>
</center>

</font></font>

 

[ƒorte]

ah but how do you get that? From JS to html?

 

[Chris S]

he unescaped the javascript

%3C%48%45%41%44%3E%0D%0A%0D%0A%3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%0D%0A%0D%0A%66%75%6E%63%74%69%6F%6E%20%4C%6F%67%69%6E%28%29%7B%0D%0A%76%61%72%20%64%6F%6E%65%3D%30%3B%0D%0A%76%61%72%20%75%73%65%72%6E%61%6D%65%3D%64%6F%63%75%6D%65%6E%74%2E%6C%6F%67%69%6E%2E%75%73%65%72%6E%61%6D%65%2E%76%61%6C%75%65%3B%0D%0A%75%73%65%72%6E%61%6D%65%3D%75%73%65%72%6E%61%6D%65%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%3B%0D%0A%76%61%72%20%70%61%73%73%77%6F%72%64%3D%64%6F%63%75%6D%65%6E%74%2E%6C%6F%67%69%6E%2E%70%61%73%73%77%6F%72%64%2E%76%61%6C%75%65%3B%0D%0A%70%61%73%73%77%6F%72%64%3D%70%61%73%73%77%6F%72%64%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%3B%0D%0A%69%66%20%28%75%73%65%72%6E%61%6D%65%3D%3D%22%61%64%6D%69%6E%22%20%26%26%20%70%61%73%73%77%6F%72%64%3D%3D%22%69%61%6D%74%33%68%68%34%78%30%72%22%29%20%7B%20%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%3D%22%63%6F%6D%70%6C%65%74%65%64%2E%68%74%6D%6C%22%3B%20%64%6F%6E%65%3D%31%3B%20%7D%0D%0A%69%66%20%28%75%73%65%72%6E%61%6D%65%3D%3D%22%6A%6F%68%6E%22%20%26%26%20%70%61%73%73%77%6F%72%64%3D%3D%22%6A%6F%68%6E%6E%79%31%32%22%29%20%7B%20%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%3D%22%63%6F%6D%70%6C%65%74%65%64%2E%68%74%6D%6C%22%3B%20%64%6F%6E%65%3D%31%3B%20%7D%0D%0A%69%66%20%28%75%73%65%72%6E%61%6D%65%3D%3D%22%6A%61%6D%65%73%22%20%26%26%20%70%61%73%73%77%6F%72%64%3D%3D%22%69%6C%6F%76%65%6D%79%64%6F%67%22%29%20%7B%20%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%3D%22%63%6F%6D%70%6C%65%74%65%64%2E%68%74%6D%6C%22%3B%20%64%6F%6E%65%3D%31%3B%20%7D%0D%0A%69%66%20%28%64%6F%6E%65%3D%3D%30%29%20%7B%20%61%6C%65%72%74%28%22%49%6E%76%61%6C%69%64%20%6C%6F%67%69%6E%21%22%29%3B%20%7D%0D%0A%7D%0D%0A%0D%0A%3C%2F%53%43%52%49%50%54%3E%0D%0A%0D%0A%3C%42%4F%44%59%3E%0D%0A%0D%0A%3C%63%65%6E%74%65%72%3E%0D%0A%3C%66%6F%72%6D%20%6E%61%6D%65%3D%6C%6F%67%69%6E%3E%0D%0A%3C%74%61%62%6C%65%20%77%69%64%74%68%3D%32%32%35%20%62%6F%72%64%65%72%3D%31%20%63%65%6C%6C%70%61%64%64%69%6E%67%3D%33%3E%0D%0A%3C%74%72%3E%3C%74%64%20%63%6F%6C%73%70%61%6E%3D%32%3E%3C%63%65%6E%74%65%72%3E%3C%66%6F%6E%74%20%66%61%63%65%3D%22%56%65%72%64%61%6E%61%22%20%73%69%7A%65%3D%22%31%22%3C%62%3E%4D%65%6D%62%65%72%73%20%4F%6E%6C%79%20%41%72%65%61%21%3C%2F%62%3E%3C%2F%66%6F%6E%74%3E%3C%2F%63%65%6E%74%65%72%3E%3C%2F%74%64%3E%3C%2F%74%72%3E%0D%0A%3C%74%72%3E%3C%74%64%3E%3C%66%6F%6E%74%20%66%61%63%65%3D%22%56%65%72%64%61%6E%61%22%20%73%69%7A%65%3D%22%31%22%3E%20%55%73%65%72%6E%61%6D%65%3A%3C%2F%74%64%3E%3C%74%64%3E%3C%69%6E%70%75%74%20%74%79%70%65%3D%74%65%78%74%20%6E%61%6D%65%3D%75%73%65%72%6E%61%6D%65%3E%3C%2F%74%64%3E%3C%2F%74%72%3E%0D%0A%3C%74%72%3E%3C%74%64%3E%3C%66%6F%6E%74%20%66%61%63%65%3D%22%56%65%72%64%61%6E%61%22%20%73%69%7A%65%3D%22%31%22%3E%20%50%61%73%73%77%6F%72%64%3A%3C%2F%74%64%3E%3C%74%64%3E%3C%69%6E%70%75%74%20%74%79%70%65%3D%74%65%78%74%20%6E%61%6D%65%3D%70%61%73%73%77%6F%72%64%3E%3C%2F%74%64%3E%3C%2F%74%72%3E%0D%0A%3C%74%72%3E%3C%74%64%20%63%6F%6C%73%70%61%6E%3D%32%20%61%6C%69%67%6E%3D%63%65%6E%74%65%72%3E%3C%69%6E%70%75%74%20%74%79%70%65%3D%62%75%74%74%6F%6E%20%76%61%6C%75%65%3D%22%4C%6F%67%69%6E%21%22%20%6F%6E%43%6C%69%63%6B%3D%22%4C%6F%67%69%6E%28%29%22%3E%3C%2F%74%64%3E%3C%2F%74%72%3E%0D%0A%3C%2F%74%61%62%6C%65%3E%0D%0A%3C%2F%66%6F%72%6D%3E%0D%0A%3C%2F%63%65%6E%74%65%72%3E%0D%0A%0D%0A%0D%0A

and then viewed that

 

[Cynical]

The large wierd thing in the Javascript was a Hex code, which translates to the code dharmil posted about when "decoded".

 

[ƒorte]

ok I think I get it

Thanks!

 

[Brandon]

Try my new one check for another post in off topic.

 

[Jake]

well you guys realize that thats not "hacking" as you are saying, thats mearly looking at wronly placed code by "user" error if there is one.... thats all.... i dont think you want to "promote" people to hack your site though, because someone might just "actually" hack it.

 

[Brandon]

Lol, It's just a fun activity.

 

[Jake]

hehe i know, but it would be prtty fun if someone hacked you because theythought they were supposed to

 

[Brandon]

Lol, thats funny.