Author: [the emptiness of the prodigal son heart]() 【IT168 designed artwork] throughout the game levels, all with the technology, are the basis for comparison, as long as there own ideas, and understand basic hacking techniques, take the time, it is easy to cross the border. The entire design idea is: the requirements to cross the border who use their real techniques, not by means of automatic tools, familiar with basic web hacking techniques, Ken think of. Levels try to be practical, the use of technology to try not to repeat. In the beginning of the level at the beginning, is expected to get a host file this thing, blocking part of the people, which impatient, unwilling to think of the people, the first to awake, over the period of time and then to play. **The contest entry is:** The contest purpose is to put the rookie stopper in the door, let the more technical people, take to the rewards, let the veterans share your own offensive and defensive experience. And the rookie learning these lessons in the future, it can be used in the later“levels”. Hack Games, the most shining place, is the end to be compromised. In fact, sometimes a topic is difficult, the requirements of true art, and not from the actual, this is level design difficulties. For example, if I'm out with a meaningless Title, A administrator password let you use the rainbow table to run on a two-day, very realistic? In“everyday life”, we may often encounter, unfortunately this topic is a waste of your time, but also a waste of national power resources, but does not embody real technology. So, topic selection is the most important step, is also the most difficult step. And I finally set down the levels, are picked and chose over. **First off: the host file+simple hack** Observe, every security officer must have a basis, even more than a lot of technology, more worth pondering, which is, through the game of each section. The author of the game instructions in every sentence, are not white write, a lot of even the“final Clearance”key, 7J(competition first place)just to eat here over the big loss. Wherein a sentence, the original words are so to say“after testing, each address can be a normal visit.”, the Looks absolutely belongs to nonsense, but in a disguised reminder“levels no problem, you can not access, is the thing for you, their think of a way to access it!”。 So there are a lot of clever tricks, think of the host file..... Modified the host file, see the page allow you to download a EXE down crack. Why to add this? In fact, is in disguise to remind everyone:“see? It is all simple technology, even when used to the level of winning the prize out of the color project, so basis”. Does not look pediy of the tutorial, open the OD, select the find all the strings, just see the password. It's called the real“slight basis”can be cracked. To get the key code, The display shows the 2 off the address. Still can not access, but with the first turn of that big pit, this point problems, it can not beat everyone up. The application of“everyday life”, don't know we have never thought of, many servers will have hidden levels, when we find out clearly there was a station, but their own can not access the time, have not thought about modifying the host file? Perhaps the Administrator's negligence, the domain name expires, server website. Modify the host file, you can even crack some network authentication. **Second off: break through the guestbook** In many sites, more or less, has a guestbook feature, if we engage to engage to, no place to punch, perhaps in here there will be a lot not a small harvest. Many of my friends a look to the guestbook, already know this off of the spirit - [XSS](a). In General, by the guestbook to get the station than not, are very few, specific reasons of course is because this thing features too little. Does not exclude some databases to ASP at the end, and just can write the word horse, but this game, we don't want to from the shell to start with, because the level of the environment is more complex, on the server there are other stations, I must ensure that everyone can get to the shell. Of course the next game I will not disclose. [XSS]()have is to attack the essential techniques, many times, is can take a direct shell. So hack the game, it is also indispensable. But the real use of them, there is a high and low of the points, in order to take care of everyone, I also specifically looked for one without any[XSS]()filter the message(the next time can not so simple). At the same time, I also on their own machine, set up a virtual machine, every morning and evening, with the administrator identity, look over everyone's posts. Interactive Ah, this is a standard interaction. There are a lot of people[XSS]()successfully, then see the administrator login, the cookie changes. Write directly to a third off the address. You know, in order to a normal level run, I a day sooner or later will come up and everyone is acting, see posts, delete posts. In order to ensure the functionality of the run, written specifically for an asp page, used to restore the posts and the administrator password, of course this is a very, very long path. After this one off, the real game has only just begun. **Third off: hand[SQL injection]()** Q: now SQL tool a lot, what can guarantee that someone can manually inject? This is the people, and a machine difference. This is a very special demand on the network there is absolutely no tutorial, and they are like, how to prevent[SQL injection]()attacks, and I was wondering how to allow manually[SQL injection]()attack at the same time, the bypass tool is the automatic scan. Ultimately, I determined a method, called conversion. In the received character input by the user after the analysis of the field, the conversion inside the[SQL injection]()keyword. Then given a conversion list for everyone to manual injection when doing a control. The original is not what you see that JS to write the conversion function, then I saw the official give prizes not previously so brilliant, worry about the difficulty too high, it will affect the clearance of passion, only to take care of a large home, specifically to a conversion function. In fact, the difficulty really is not high, a statement, get mdb address, another statement across the library. The table name and Field name, are also the most common. [SQL injection]()is a web attack of the absolute King, his appearance, or even change a attack era. I think, if not which tools appear, I am afraid now[SQL injection]()can be various sites provide on an emergency schedule, and are difficult to foresee things. If there is no relevant basis, usually only with the tools of the rookie, will be stuck in this off. And prior to injection of the TNT, I didn't intend to get this stuck everyone, this is just to let everyone not forget in a hopeless situation, there is such a technology. **Fourth off: engage is an administrator** Q: to attack the penetration of a business, regardless of size, the most important of the penetration point is where? Without a doubt, the administrator is the point. Then the security of the system, and then security procedures are unable to withstand those idiot administrators were blind crunching it. They are the real“hacker”. Early a important level designers, experienced in the penetration of home so and so once said, engage in a station, the most important, is the administrator, whether we want to what way, ultimately, the spearhead will point to him. In other words, if you engage in a half-day Station, and finally even the administrators who don't know, that only shows you are not getting the rookie level rookie. First into the eye is a dynamic network Forum, latest edition, to ensure not let everyone get into the shell, where relates to the FSO function page, the basic have been I click. See 7J on the forum said“there is 0day.”I think this guy in the show, and I have a 0day, it is not used to playing this level, I know this levels, is subject to the absolute monitoring. Server open wareshark, you dare to throw to come over, I absolutely recorded flawlessly. That holding a 0day to hit j8hacker guy, it was I caught a current, the perfect capture of the entire process. Nope 0day, it is clear there is only one way, get the administrator to start, I believe we have to guess the password of the painful experience. This password is what, generally is the social worker not to, because I'm not going to let your social worker, the last one off the Ah, how could so simple? Carefully contrast, a brand new forum, and levels of, exactly what's not to like? Also not that the administrator mailbox? But this requires an extreme associative logic(inertia of thinking), and from 1, 2, 3 off view, the level designers obviously don't have any money, the poor can only use the host file to complete the level design. And the mailbox of that user name, and the address, so much alike, don't no mystery in it? In fact, as long as again binding the username of the domain names, access levels, you can see the 4 off of the second little off, the back of the corporate website, the natural is a note on the out password. All in all, it took place in the Administrator's information, as long as careful observation of the administrator, will get a lot of useful things. With 2 small off the password, detour to 4 off 1 off, landing back, that is 2 hours off the role. Other features are deleted, and also what can be done? It is worth mentioning that this is not like the previous levels, like, there are obvious hints about page description of the landing of the background isn't finished. Said this, I am very disappointed, have been in the clearance instructions on the prompts so clearly, let you contact admin QQ. How is there so many people, to the door, is that there is no contact? Oh, actually this is a word game, on purpose. -_ -! All thought that the administrator QQ is a dynamic network that comes with, Is it? See everyone but off, I have just act as a good person, go to the Forum and posting constant reminders. The previous JS off hacking the game, we all know there will be a“word game”, How about this, everyone forget? Divergent thinking, jump thinking no matter where, are definitely a useful tool. In conclusion, this game is mentioned in the technology, we have mastered? That's good! Wait for the next one!

Query Builder