The first thing you must know is that how the website works, so just play all around the stuff. You may find some information at the News page (hope it won't be a spoiler) about which parts of the page are secured recently. So what if the others aren't so secure? Let's give it a try. It may be a good idea to remember, what are the differences between POST and GET.
From one of those less-secured parts you must get some important information if you give unexpected input. For example it either may be "jfseruhzwsedfjsd" that often used to be unexpected
Now you've got some PHP code right before your eyes that somehow tells you where to go for those hashes. Take a closer look to it. URLs are always string variables so it's good to know, how PHP handles strings. The rest of finding the hashes depends on you. You'll have to figure it out, but it's not that difficult, especially after reading all these comments.
Okay, let's see! Now you've got some hashes so you probably know the loginname and password (YES, YOU HAVE TO CRACK IT).
But where the heck will you use them? From this forum, you know that there is a fake login site that is very easy to find. Probably you've found it too, and got some message like "stuff" is not the correct password string for "lamer". Therefore you must think again... Remember how did you find the hashes? (Forgive me
) Maybe the site admin used the same camouflage again...Think that helped a lot. I can't tell you anything more without exactly telling it all. You have to work on your own. Good luck!
and I get another message which says my ip has been banned and logged. Hmm... Maybe it's just a decoy..
Thank you!