Dashboard Articles Playground Discussions More
Follow

Any idea how to complete this level.

[deleted user]
11 years ago

1

So as far as I can understand I have to bypass the filter and execute this code <script>alert('HackThis!!');</script> so that when I put this code in the textarea provided and click on submit it should show me an JS alert. I hope I am correct so far. But the question is which filter needs to be bypassed. Will have to do some googling I guess.

Everyone who are currently on this level please share you thoughts.

59replies
24voices
435views
1image
[IAmDevil]
11 years ago | edited 11 years ago

1

@tlotr jump over IRC please !!

 

- @IAmDevil
Its good to be back! :D

0xDC
11 years ago

6

It’s actually quite simple…. since the script tags are filtered out, try to come up with a payload that is not detdetectedected :D

 

/dev/null

Keeper
11 years ago

2

I did manage to execute a lot of them vectors and all pop-up an alert box but level requires something different I suppose.

Cyan Wind [freewind1012]
11 years ago

0

Me too. I tried to inject some simple XSS at first. It WAS successful but I couldn’t “bypass the filter” as expected. Gotta figure out how the code was filtered. ;)

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
Luke [flabbyrabbit]
11 years ago

0

You need to make the output be exactly the same as the given code.

 

Image

[deleted user]
11 years ago

1

Hi All,

0xDC post which is mentioned above is very helpful. Thanks 0xDC.

Mikey * [StonedNinjaLUFC]
11 years ago

0

So i can get the alert to output but not complete the level. I use something like this [quote=author]<[/quote] i get the alert but not pass the level. any ideas what i should do?

 
???Roun512 [roun512]
11 years ago

0

@Stoned , u have to make the >output< the same as <script>alert('HackThis!!');</script>

 

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

[deleted user]
11 years ago

0

Its not about getting the alert popup I think cause I completed the level without even getting the pop up.

Mikey * [StonedNinjaLUFC]
11 years ago

0

at the output box i’m getting what looks like the exactly same code

Image

 
J [ColdIV]
11 years ago

1

It should look exactly like it but also work. What you tried looks like it, yes but it won’t work :)

 

Image

Mikey * [StonedNinjaLUFC]
11 years ago

0

any helpful suggestions, hint, tips?? i’m sure it’s something simple but probably over thinking it (-_-)

 
[deleted user]
11 years ago

0

Well StonedNinjaLUFC,

I would suggest that you see the post by 0xDC on this thread especially the last word how its written. Hope this helps.

J [ColdIV]
11 years ago

1

It’s indeed really simple, take a look what exactly is filtered and try to bypass it. @0xDC’s post is very helpful :)

 

Image

Leinhart
11 years ago

0

You talk about otherthing, but my question is what is “token” ? I have found a code for that but I cant' bypass…
“Token” is a part of solution or I m completely out ??

Thks you guys…

 

“Potius mori quam foedari”

[deleted user]
11 years ago

0

I don’t think it has anything to do with completing the level. I know that there is a hidden input but I don’t think it has anything to do with completing the level. I might be wrong though.

Luke [flabbyrabbit]
11 years ago

0

The hidden input is nothing to do with completing the level … for more information on what it is see https://www.hackthis.co.uk/articles/cross-site-request-forgery

 

Image

Leinhart
11 years ago

0

@tlotr
@flabbyrabbit

Thks guys, You avoid me losing a lot of time…

 

“Potius mori quam foedari”

Leinhart
11 years ago

0

And thks for the link flabby. Its interesting…

 

“Potius mori quam foedari”

AHSR
11 years ago

0

:( i can’t finish this one :| . I tried to alert the message but this level didn’t finsh yet

Cyan Wind [freewind1012]
11 years ago | edited 11 years ago

0

@AHSR: As we mentioned above, you have to print the exact output as requirement:
<script>alert('HackThis!!');</script>
It isn’t not about making the alert box appear.

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
xxxmrparthxxx
11 years ago

-1

This Is a filtration which can not execute our code

this same filtration is also on Facebook,Gmail,Yahoo etc.

If You Bypass this here
then you will also bypass facebook,Gmail and all such websites.
and you will be rewarded by facebook.
Good Luck buddy.

Reply has been removed
xxxmrparthxxx
11 years ago

0

i am not saying facebook and gmail is vulnerable, i told you there is a same filtration

if anyone bypass this filtration they will defiantly bypass facebook.

and you are thinking that i am joking and all this
So bypass Hackthis filtration if you can lol..
then try on facebook

steamvnx
11 years ago

0

Help me!, why can’t I finish this level
I tried my best
<Script>alert('HackThis!!');</Script>
script was execute and view a popup.
Thanks

J [ColdIV]
11 years ago

0

It has to be exactly this:
<script>alert('HackThis!!');</script>
Your way works but isn’t the way how it was intended.
I actually already wrote flabby a pm because I don’t think this should work..

 

Image

steamvnx
11 years ago

0

@ColdIV: can u send code this level to my inbox. I have tried many times bu failed
Thanks a lot :D

J [ColdIV]
11 years ago

0

I won’t send you the solution.
Take a look at the hints posted in here they are quite useful and the level is not as hard as it might seem to be.

 

Image

Keeper
11 years ago

0

Yeah I don’t deem it that hard once I’ve completed it. But it’s indeed a bit haywire. Either ways, previous posts are enough of hints for anyone attempting it.

steamvnx
11 years ago

0

@ColdIV, @Keeper :D. thank you. i will try ^^

xxxmrparthxxx
11 years ago

0

we everybody should have to R n D on the filtration bypass

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Check out hope it ll some help you

? [stefanking56]
11 years ago

0

For anyone who is still struggling with this level.read @0xDC post about this.especially the last word,it’s really important

0xDC
11 years ago

0

To all the people out there struggling with this level:

The idea is NOT to create an XSS but to BYPASS the XSS filter. As you might have noticed, the script tags are filtered out, there is a (rather simple) way to bypass this. Create a payload where the end result is the script tags are displayed.

Another clue can be found in my earlier posts and I normally don’t make typos (another hint).

Good luck to you all!

 

/dev/null

Zhen [ZeroFreak]
11 years ago

0

No need to search for bypassing techniques. As you can clearly tell in addition to what everyone is saying, anything that comes between tags gets filtered out.

No fancy encoding and stuff needed though. Trick is to confuse the application that you’re not using anything between tags but in reality you are.

[IAmDevil]
11 years ago | edited 11 years ago

-1

Guys this level is fuckin twisted !!
And also theee is no need of any special bypassing techniqe , its just playing with the script tags !!

Good luck .

 

- @IAmDevil
Its good to be back! :D

[deleted user]
11 years ago

-1

Yes 0xDC is correct, all you need to do is to fiddle with the tag and also the previous post by 0xDC provides a very big clue to solve this level. Look at the last word posted by 0xDC very carefully in the previous post.

Vu Nhat Anh [vunhatanh]
11 years ago

-1

The key to complete this level is tags will be strippedand the “Content” will remain :)

dauphindiamant
11 years ago

0

please can you help me to do this level

[deleted user]
11 years ago

0

dauphindiamant,

The answer is already provided on this thread. Check 0xDC’s post especially the last word.

[deleted user]
11 years ago

0

Well I shouldn’t say its the answer but it is a very big clue to complete this level.

daMage
11 years ago

0

[quote=IAmDevil]no need of any bypassing techniqe[/quote]

That is a simple bypassing technique for a specific (read: bad) protection. I’ve actually seen this one out there…

 
  • daMage
0xDC
11 years ago

0

@daMage: Oh yeah, I have seen them out there as well. It’s actually pretty commonly used IMHO.

 

/dev/null

Eric [iluvz2sp00ge]
11 years ago

0

interesting read helped me complete this level http://www.trailofbits.com/resources/blackbox_reversing_of_xss_filters_slides.pdf

 

Image

Image

Cyan Wind [freewind1012]
11 years ago | edited 11 years ago

0

Thanks for your document, @iluvz2sp00ge . It’s great when eveyone spreads their knowledge. :D

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
0xDC
11 years ago

0

iluvez2sp00ge: Nice PDF! :)

 

/dev/null

Eric [iluvz2sp00ge]
11 years ago

0

no problem i luv to spooge my info hahaha

 

Image

Image

dauphindiamant
11 years ago

0

thlor help me i started i m not happen please

Cyan Wind [freewind1012]
11 years ago

0

@dauphindiamant: What’s your problem, dude? There’s a lot of hints in this thread which can help you.

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
dauphindiamant
11 years ago

0

i cant manage to this level help me please ?

Cyan Wind [freewind1012]
11 years ago | edited 11 years ago

0

@dauphindiamant: There’re a lot of posts in Intermediate Level 4 thread can help you, dude. Just read all.

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
Eric [iluvz2sp00ge]
11 years ago

0

read the PDF i posted it’s sort of hard to miss how its done ;)

 

Image

Image

dauphindiamant
11 years ago

0

i have got read all but i m not i cant not to do

can you do a movies please ?

Cyan Wind [freewind1012]
11 years ago | edited 10 years ago

0

We don’t even type passwords in the forum and now you ask for a video? ;)

Let me see… Ah! The holy word from @0xDC which can help you to pass this level:

detdetectedected

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
silverrp123
10 years ago

0

[b]really am Surrender this level
[/b] :( please please please please please please please please please help me guys

[IAmDevil]
10 years ago | edited 10 years ago

0

dont surrender @silverrp123 !!!
Keep trying it just has to do with the tags nothing much !!

 

- @IAmDevil
Its good to be back! :D

kamzhik
10 years ago

0

The only thing left to say is the right answer itself. Read the whole thread and if you still can’t find it then just try another level.

 
![Image](http://i.imgur.com/jsUziMz.png)
silverrp123
10 years ago

0

thanx you guys for help me :(

*********** [ADIGA]
10 years ago

1

silverrp123, a hard way and an easy way to solve this.
1- the easy way : simple google search on stupid ways to filter from xss and understanding str_replace() function in php + some really simple logic
2- the hard way, keep saying your hints does not help or i did not understand your hint in the forum and waiting for someone to hand you the answer and not doing some reading or googling in the first place.

you are going the hard way.

 

I Hate Signatures.

locdog84
10 years ago

0

74 tries and 7 hours….i tried to hard, really helped me your last word 0xDC :)

Cyan Wind [freewind1012]
10 years ago

0

@tlotr: This thread should be closed too. :/

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
Discussion thread has been locked. You can no longer add new posts. Unlock
1 of 60

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss