Is this website hackable?

Bad threads go here

Is this website hackable?

Post by steelcase2 on Thu Aug 11, 2016 7:57 am
([msg=92754]see Is this website hackable?[/msg])

Hi.

Sorry for messy question. I will edit it later. Just curious if anyone here have any thoughts on this!

*INTRO:
Im pretty new with this, and i'm really starting to like (almost obsess) everything about pen testing. Right now i have done the basic hacking challenges and im still learning every day.

Right now i'm at the stage of "what is possible"? And i'm studying an unimportant summer class right now for which i wonder how vulnerable it is. I know my material pretty good but i'm intrigued if i can somehow pass my online exam the dirty way. I'm aware that if i just study i will pass it, and i'm sure i would right now actually, but this seems by far more challenging (and fun).

*ACTUAL QUESTION:

Is it possible to hack moodle?


I have a couple of ways i wonder about at the moment, which are:

* I have monitored all aspects of the site with firebug (with my none-existing-knowlage). And found that i'm able to hack the library quiz with some basic logic only. But, the exam quiz was different. From what i saw from the sandbox moodle, the questions comes randomly from a questionbank. The id for the questions are just from 0-6 and are checked within the server i think. So i think i cant find the answers in the source code or inspect elements. What i was thinking was maybe intercepting the question answer form and tamper with the data so it passes all answer alternatives and maybe bug the score so it becomes correct (because one is). Or maybe tamper the request i send to the server so i get all the questions from the exam on my first try. Is that realistic?

*I saw this in the html source: some random <!-- --> comments under a "class=c". Nothing more there.

Other ways would be to hack into the server itself and get the information.
* I have a tcsh(rc?) promt, used for uploading files, with the file:
set prompt="%M [%/] %#"
alias ls ls -F
alias dir ls -lF
umask 077
...which is in a map of my account. I have write access to a subdir of it.

* I have sftp connection to the server. Dunno if i can use that?

**Plus more noob-theories i have come up with, and i can speculate all day but i know that people here have a very deep knowledge of this, so maybe its better to ask first.

Server info:
Moodle server:
teehee

Apache, ubuntu. Ect. I scanned it before but not using that computer atm.

Student portal:
teehoo

Media server:
This server has some interesting none-security, but it doesn't seem to hold anything relevant because its on a different domain?
teehaa

Thanks //
steelcase2
New User
New User
 
Posts: 2
Joined: Thu Aug 11, 2016 6:57 am
Blog: View Blog (0)


Re: Is this website hackable?

Post by mShred on Thu Aug 11, 2016 2:04 pm
([msg=92758]see Re: Is this website hackable?[/msg])

Yeah try to be less obvious about your blatant illegal activities, yeah?
For those about to hack, I salute you.
teehee
image
User avatar
mShred
Administrator
Administrator
 
Posts: 1899
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Is this website hackable?

Post by -Ninjex- on Thu Aug 11, 2016 7:55 pm
([msg=92762]see Re: Is this website hackable?[/msg])

Where's the fun in that?
haha joking...
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Is this website hackable?

Post by steelcase2 on Sat Aug 13, 2016 6:41 am
([msg=92770]see Re: Is this website hackable?[/msg])

mShred wrote:Yeah try to be less obvious about your blatant illegal activities, yeah?


You are right. In hindsight i'm /facepalming myself. My bad
steelcase2
New User
New User
 
Posts: 2
Joined: Thu Aug 11, 2016 6:57 am
Blog: View Blog (0)



Return to Graveyard

Who is online

Users browsing this forum: No registered users and 0 guests

cron