hackthissite basic

This post will show you how to complete all the basic missions on HackThisSite.org.

Basic 1 solution

This test is the proclaimed “idiot test”. It really requires little effort at all.

right click and inspect code

Inspect the page’s HTML code

Right-click anywhere on the page, and go to Inspect.

high element in inspect code

Hover over the page with the element highlighter

Go to the highlight element option.

Hover over the form until it’s highlighted.

Locate the password in a HTML comment

And then find the HTML comment under the class “sit buffer”. If you’re struggling to find it, use the search function and type “password“.

Copy and paste the password into the input field, and then submit.

Basic 2 solution

In this test we’re told that Sam has set up a script that loads the password from an encrypted text file.

This is really easy..

Note this part, it’s really significant. So, just click Submit.

It’s really that easy, no need to dig through the HTML source!

Basic 3 solution

This time, Sam uploads a password file, so it’s not as simple as in the last task. So let’s open up the Inspect element again.

Inspect the form

Now, we know we’ll start by inspecting the form again. By hovering over it with the element highlighter.

Find the hidden file

Then you’ll notice that the form has a hidden input, with a value of password.php. Let’s navigate there are see if there is any information that can help.

hackthissite basic 3 password link
Click image to go there directly.

Locate the password

And there we have it, an ill-stored password ready to be copied and pasted into the input box.

Basic 4 solution

In this mission you find that Sam has put his password in a script once again, but this time it will email him automatically in case he forgets. So, lets inspect the send password button.

Find the hidden email value with inspect element

Then, in the inspection window, you’ll find there are two inputs in the form.

Change the email to your own

The top input contains a “to” value, which is obviously an email address. Double click on the value, and replace this with your own email address.

Once that’s set, click on the Send Password to Sam button.

The password will be emailled to the provided email address, only if it’s the registered email address used to sign up to the website.

Basic 5 solution

This is exactly the same as Basic 4…

Basic 6 solution

This test requires you did some decryption. But fortunately you’ve got a form that allows you to encrypt different inputs.

Encrypt a simple string of characters

Lets start by entering in a load of 0’s, so we can see how each one reacts.

Note that eight 0’s have been input. This is the same amount of characters in the encrypted password.

Analyse the encrypted output

The encrypted string that gets returned has an obvious pattern. Add the characters index position in string, to the character.

Use this to crack the encrypted password

So we need to minus each value from the encrypted password, starting with “1-:”. But, to give “:” and other alphabet characters a value, we need to convert it to ASCII format.

This table from AsciiTable gives each character a value, it really doesn’t matter which value (Dev, Hx…) that you take away from.

Subtract the values from the ASCII values

After subtracting the values from the encrypted string using the “0 string”, we are given the following result (work this out in notepad).

Basic 7 solution

In this test, Sam has put his password in an obscurely named file. He has also installed a calendar script that uses Unix commands.

Test the input form first

If you input 2000, it returns a whole bunch of calendars.

Inject your own code after it

Let’s exploit this by injecting our own commands into this! For this, we’ll need the ls command.

Why this works

The script is probably running something like “cal USERINPUT“.

Now, by injecting this command, we’re making the script run “cal USERINPUT && ls“. This is essentially two commands combined into one, with ls listing all the files in the current directory.

Locate the obscure file

We’ll go for the most obscure file here, and navigate there directly to find the password.

Basic 8 solution

First of all, we know that the password is stored encrypted in the following location:

/var/www/hackthissite.org/html/missions/basic/8/

The input box takes some input, a string, and then creates a file.

Test the input form

Create a file, then view it.

Research SHTML

Notice that the URL links to a .shtml file.

Exploit SSI

That means that we can inject some server-side code! I’m no expert in SSI, so we’ll pull some info from another site.

This is what the commands look like. We can use this to execute commands too!

Try SSI with LS command

So let’s try the following command:

<!--#exec cmd="ls"-->

Escape the current directory

Now we also noticed in the first instance that we created a file, that the files were being stored in a /tmp location.

We need to escape this folder. This can be done using “../“, after the “ls” command.

<!--#exec cmd="ls ../"-->

This “../” will execute the “ls” command in the /basic/8/ folder. The folder above.

Locate obscure file

This gives us the obscure password file that we can then navigate to. Remembering not to use the /tmp folder.

Get the password

Basic 9 solution

This test builds on the exact same principles as Basic 8. So, go back to basic 8 so you have the input form again!

Edit the SSI used in Basic 8

Now you need to edit the previous command slightly. Before we used:

<!--#exec cmd="ls ../"-->

This executed the “ls” command in the “/basic/8/” folder. Now we need to get up into the “/basic/” folder, then down into the “/basic/9/” folder before we execute “ls”!

<!--#exec cmd="ls ../../9/"-->

Locate the hidden file

Get the password

Then we navigate to the file. Remember to change the folder to “/basic/9/“.

Basic 10 solution

After picking through the HTML source for a while, it’ll become obvious that there’s little to go by. So, where are some other places that scripts can determine your authorisation?

Analyze your Cookies with Inspect

To find your cookies, try first submitting a random password, then go back. Inspect element, and go to Application tab.

Change the authorization value

You’ll see a row with name “level10_authorized” and value “no“. Set this value to “maybe” — just kidding, set it to “yes”, then click Submit.

Basic 11 solution

Now this mission is touted as being harder than the others, and rightly so. When you start, you’ll notice that the song’s change whenever you refresh the page.

Figure out the artist

A simple google search will show that these are Elton John songs:

Find the hidden /e directory

So lets search for the directory /e, for Elton John.

Follow the directories, then open the .htaccess file

We’re then lead through the letters until we get to /n. At which point there are no more files. Perhaps because the files are hidden! So lets check the .htaccess file.

Find DaAnswer

Next we browse to /DaAnswer.

Use the password hidden in plain sight

We finally head over to /index.php, and submit our answer “around”.

Until next time,

Josh.

Leave a Reply