Any idea how to complete this level.

[deleted user]
11 years ago

1

So as far as I can understand I have to bypass the filter and execute this code <script>alert('HackThis!!');</script> so that when I put this code in the textarea provided and click on submit it should show me an JS alert. I hope I am correct so far. But the question is which filter needs to be bypassed. Will have to do some googling I guess.

Everyone who are currently on this level please share you thoughts.

59replies
24voices
436views
1image
[IAmDevil]
11 years ago | edited 11 years ago

1

@tlotr jump over IRC please !!

0xDC
11 years ago

6

It’s actually quite simple…. since the script tags are filtered out, try to come up with a payload that is not detdetectedected :D

Keeper
11 years ago

2

I did manage to execute a lot of them vectors and all pop-up an alert box but level requires something different I suppose.


0

Me too. I tried to inject some simple XSS at first. It WAS successful but I couldn’t “bypass the filter” as expected. Gotta figure out how the code was filtered. ;)

Luke [flabbyrabbit]
11 years ago

0

You need to make the output be exactly the same as the given code.

[deleted user]
11 years ago

1

Hi All,

0xDC post which is mentioned above is very helpful. Thanks 0xDC.


0

So i can get the alert to output but not complete the level. I use something like this [quote=author]<[/quote] i get the alert but not pass the level. any ideas what i should do?

???Roun512 [roun512]
11 years ago

0

@Stoned , u have to make the >output< the same as <script>alert('HackThis!!');</script>

[deleted user]
11 years ago

0

Its not about getting the alert popup I think cause I completed the level without even getting the pop up.


0

at the output box i’m getting what looks like the exactly same code

Image

J [ColdIV]
11 years ago

1

It should look exactly like it but also work. What you tried looks like it, yes but it won’t work :)


0

any helpful suggestions, hint, tips?? i’m sure it’s something simple but probably over thinking it (-_-)

[deleted user]
11 years ago

0

Well StonedNinjaLUFC,

I would suggest that you see the post by 0xDC on this thread especially the last word how its written. Hope this helps.

J [ColdIV]
11 years ago

1

It’s indeed really simple, take a look what exactly is filtered and try to bypass it. @0xDC’s post is very helpful :)

Leinhart
11 years ago

0

You talk about otherthing, but my question is what is “token” ? I have found a code for that but I cant' bypass…
“Token” is a part of solution or I m completely out ??

Thks you guys…

[deleted user]
11 years ago

0

I don’t think it has anything to do with completing the level. I know that there is a hidden input but I don’t think it has anything to do with completing the level. I might be wrong though.

Luke [flabbyrabbit]
11 years ago

0

The hidden input is nothing to do with completing the level … for more information on what it is see https://www.hackthis.co.uk/articles/cross-site-request-forgery

Leinhart
11 years ago

0

@tlotr
@flabbyrabbit

Thks guys, You avoid me losing a lot of time…

Leinhart
11 years ago

0

And thks for the link flabby. Its interesting…

AHSR
11 years ago

0

:( i can’t finish this one :| . I tried to alert the message but this level didn’t finsh yet

Cyan Wind [freewind1012]
11 years ago | edited 11 years ago

0

@AHSR: As we mentioned above, you have to print the exact output as requirement:
<script>alert('HackThis!!');</script>
It isn’t not about making the alert box appear.

xxxmrparthxxx
11 years ago

-1

This Is a filtration which can not execute our code

this same filtration is also on Facebook,Gmail,Yahoo etc.

If You Bypass this here
then you will also bypass facebook,Gmail and all such websites.
and you will be rewarded by facebook.
Good Luck buddy.

Reply has been removed
xxxmrparthxxx
11 years ago

0

i am not saying facebook and gmail is vulnerable, i told you there is a same filtration

if anyone bypass this filtration they will defiantly bypass facebook.

and you are thinking that i am joking and all this
So bypass Hackthis filtration if you can lol..
then try on facebook

steamvnx
11 years ago

0

Help me!, why can’t I finish this level
I tried my best
<Script>alert('HackThis!!');</Script>
script was execute and view a popup.
Thanks

J [ColdIV]
11 years ago

0

It has to be exactly this:
<script>alert('HackThis!!');</script>
Your way works but isn’t the way how it was intended.
I actually already wrote flabby a pm because I don’t think this should work..

steamvnx
11 years ago

0

@ColdIV: can u send code this level to my inbox. I have tried many times bu failed
Thanks a lot :D

J [ColdIV]
11 years ago

0

I won’t send you the solution.
Take a look at the hints posted in here they are quite useful and the level is not as hard as it might seem to be.

Keeper
11 years ago

0

Yeah I don’t deem it that hard once I’ve completed it. But it’s indeed a bit haywire. Either ways, previous posts are enough of hints for anyone attempting it.

steamvnx
11 years ago

0

@ColdIV, @Keeper :D. thank you. i will try ^^

xxxmrparthxxx
11 years ago

0

we everybody should have to R n D on the filtration bypass

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Check out hope it ll some help you

? [stefanking56]
11 years ago

0

For anyone who is still struggling with this level.read @0xDC post about this.especially the last word,it’s really important

0xDC
11 years ago

0

To all the people out there struggling with this level:

The idea is NOT to create an XSS but to BYPASS the XSS filter. As you might have noticed, the script tags are filtered out, there is a (rather simple) way to bypass this. Create a payload where the end result is the script tags are displayed.

Another clue can be found in my earlier posts and I normally don’t make typos (another hint).

Good luck to you all!

Zhen [ZeroFreak]
11 years ago

0

No need to search for bypassing techniques. As you can clearly tell in addition to what everyone is saying, anything that comes between tags gets filtered out.

No fancy encoding and stuff needed though. Trick is to confuse the application that you’re not using anything between tags but in reality you are.

[IAmDevil]
11 years ago | edited 11 years ago

-1

Guys this level is fuckin twisted !!
And also theee is no need of any special bypassing techniqe , its just playing with the script tags !!

Good luck .

[deleted user]
11 years ago

-1

Yes 0xDC is correct, all you need to do is to fiddle with the tag and also the previous post by 0xDC provides a very big clue to solve this level. Look at the last word posted by 0xDC very carefully in the previous post.


-1

The key to complete this level is tags will be strippedand the “Content” will remain :)

dauphindiamant
11 years ago

0

please can you help me to do this level

[deleted user]
11 years ago

0

dauphindiamant,

The answer is already provided on this thread. Check 0xDC’s post especially the last word.

[deleted user]
11 years ago

0

Well I shouldn’t say its the answer but it is a very big clue to complete this level.

daMage
11 years ago

0

[quote=IAmDevil]no need of any bypassing techniqe[/quote]

That is a simple bypassing technique for a specific (read: bad) protection. I’ve actually seen this one out there…

0xDC
11 years ago

0

@daMage: Oh yeah, I have seen them out there as well. It’s actually pretty commonly used IMHO.

Eric [iluvz2sp00ge]
11 years ago
Cyan Wind [freewind1012]
11 years ago | edited 11 years ago

0

Thanks for your document, @iluvz2sp00ge . It’s great when eveyone spreads their knowledge. :D

0xDC
11 years ago

0

iluvez2sp00ge: Nice PDF! :)

Eric [iluvz2sp00ge]
11 years ago

0

no problem i luv to spooge my info hahaha

dauphindiamant
11 years ago

0

thlor help me i started i m not happen please


0

@dauphindiamant: What’s your problem, dude? There’s a lot of hints in this thread which can help you.

dauphindiamant
11 years ago

0

i cant manage to this level help me please ?

Cyan Wind [freewind1012]
11 years ago | edited 11 years ago

0

@dauphindiamant: There’re a lot of posts in Intermediate Level 4 thread can help you, dude. Just read all.

Eric [iluvz2sp00ge]
11 years ago

0

read the PDF i posted it’s sort of hard to miss how its done ;)

dauphindiamant
11 years ago

0

i have got read all but i m not i cant not to do

can you do a movies please ?

Cyan Wind [freewind1012]
11 years ago | edited 11 years ago

0

We don’t even type passwords in the forum and now you ask for a video? ;)

Let me see… Ah! The holy word from @0xDC which can help you to pass this level:

detdetectedected

silverrp123
11 years ago

0

[b]really am Surrender this level
[/b] :( please please please please please please please please please help me guys

[IAmDevil]
11 years ago | edited 11 years ago

0

dont surrender @silverrp123 !!!
Keep trying it just has to do with the tags nothing much !!

kamzhik
11 years ago

0

The only thing left to say is the right answer itself. Read the whole thread and if you still can’t find it then just try another level.

silverrp123
11 years ago

0

thanx you guys for help me :(

*********** [ADIGA]
11 years ago

1

silverrp123, a hard way and an easy way to solve this.
1- the easy way : simple google search on stupid ways to filter from xss and understanding str_replace() function in php + some really simple logic
2- the hard way, keep saying your hints does not help or i did not understand your hint in the forum and waiting for someone to hand you the answer and not doing some reading or googling in the first place.

you are going the hard way.

locdog84
10 years ago

0

74 tries and 7 hours….i tried to hard, really helped me your last word 0xDC :)


0

@tlotr: This thread should be closed too. :/

Discussion thread has been locked. You can no longer add new posts. Unlock
1 of 60

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss