This post will show you how I got all the answers for each of the basic missions on HackThisSite.org; a site with a whole bunch of little hacking tests.
This test is the proclaimed “idiot test”. It really requires little effort at all.
Inspect the page’s HTML code
Right-click anywhere on the page, and go to Inspect.
Hover over the page with the element highlighter
Go to the highlight element option.
Hover over the form until it’s highlighted.
Locate the password in a HTML comment
And then find the HTML comment under the class “sitebuffer”. If you’re struggling to find it, use the search function and type “password“.
Copy and paste the password into the input field, and then submit.
In this test we’re told that Sam has set up a script that loads the password from an encrypted text file.
This is really easy..
Note this part, it’s really significant. So, just click Submit.
It’s really that easy, no need to dig through the HTML source!
This time, Sam uploads a password file, so it’s not as simple as in the last task. So let’s open up the Inspect element again.
Inspect the form
Now, we know we’ll start by inspecting the form again. By hovering over it with the element highlighter.
Find the hidden file
Then you’ll notice that the form has a hidden input, with a value of password.php. Let’s navigate there are see if there is any information that can help.
Locate the password
And there we have it, an ill-stored password ready to be copied and pasted into the input box.
In this mission you find that Sam has put his password in a script once again, but this time it will email him automatically in case he forgets. So, lets inspect the send password button.
Find the hidden email value with inspect element
Then, in the inspection window, you’ll find there are two inputs in the form.
Change the email to your own
The top input contains a “to” value, which is obviously an email address. Double click on the value, and replace this with your own email address.
Once that’s set, click on the Send Password to Sam button.
The password will be emailled to the provided email address, only if it’s the registered email address used to sign up to the website.
This is exactly the same as Basic 4…
This test requires you did some decryption. But fortunately you’ve got a form that allows you to encrypt different inputs.
Encrypt a simple string of characters
Lets start by entering in a load of 0’s, so we can see how each one reacts.
Analyse the encrypted output
The encrypted string that gets returned has an obvious pattern. Add the characters index position in string, to the character.
Use this to crack the encrypted password
So we need to minus each value from the encrypted password, starting with “1-:”. But, to give “:” and other alphabet characters a value, we need to convert it to ASCII format.
Subtract the values from the ASCII values
After subtracting the values from the encrypted string using the “0 string”, we are given the following result (work this out in notepad).
In this test, Sam has put his password in an obscurely named file. He has also installed a calendar script that uses Unix commands.
Test the input form first
If you input 2000, it returns a whole bunch of calendars.
Inject your own code after it
Let’s exploit this by injecting our own commands into this! For this, we’ll need the ls command.
Why this works
The script is probably running something like “cal USERINPUT“.
Now, by injecting this command, we’re making the script run “cal USERINPUT && ls“. This is essentially two commands combined into one, with ls listing all the files in the current directory.
Locate the obscure file
We’ll go for the most obscure file here, and navigate there directly to find the password.
First of all, we know that the password is stored encrypted in the following location:
The input box takes some input, a string, and then creates a file.
Test the input form
Create a file, then view it.
Notice that the URL links to a .shtml file.
That means that we can inject some server-side code! I’m no expert in SSI, so we’ll pull some info from another site.
This is what the commands look like. We can use this to execute commands too!
Try SSI with LS command
So let’s try the following command:
Escape the current directory
Now we also noticed in the first instance that we created a file, that the files were being stored in a /tmp location.
We need to escape this folder. This can be done using “../“, after the “ls” command.
<!--#exec cmd="ls ../"-->
This “../” will execute the “ls” command in the /basic/8/ folder. The folder above.
Locate obscure file
This gives us the obscure password file that we can then navigate to. Remembering not to use the /tmp folder.
Get the password
This test builds on the exact same principles as Basic 8. So, go back to basic 8 so you have the input form again!
Edit the SSI used in Basic 8
Now you need to edit the previous command slightly. Before we used:
<!--#exec cmd="ls ../"-->
This executed the “ls” command in the “/basic/8/” folder. Now we need to get up into the “/basic/” folder, then down into the “/basic/9/” folder before we execute “ls”!
<!--#exec cmd="ls ../../9/"-->
Locate the hidden file
Get the password
Then we navigate to the file. Remember to change the folder to “/basic/9/“.
After picking through the HTML source for a while, it’ll become obvious that there’s little to go by. So, where are some other places that scripts can determine your authorisation?
Analyze your Cookies with Inspect
To find your cookies, try first submitting a random password, then go back. Inspect element, and go to Application tab.
Change the authorization value
You’ll see a row with name “level10_authorized” and value “no“. Set this value to “maybe” — just kidding, set it to “yes”, then click Submit.
Now this mission is touted as being harder than the others, and rightly so. When you start, you’ll notice that the song’s change whenever you refresh the page.
Figure out the artist
A simple google search will show that these are Elton John songs:
Find the hidden /e directory
So lets search for the directory /e, for Elton John.
Follow the directories, then open the .htaccess file
We’re then lead through the letters until we get to /n. At which point there are no more files. Perhaps because the files are hidden! So lets check the .htaccess file.
Next we browse to /DaAnswer.
Use the password hidden in plain sight
We finally head over to /index.php, and submit our answer “around”.
Until next time,