This post will show you how to complete all the basic missions on HackThisSite.org.
I’ve gone through all of the steps, from Basic 1 all the way through to Basic 11. They’re pretty simple tasks, and for many of them there’s a video tutorial included.
Oh, and use the table of content below to quick skip to the one that you’re looking for. It’ll save you scrolling and scrolling!
Please, do try to figure it out before you use the solution. After all, it’s far more reward to figure it out by yourself without seeing the answer. There is no learning in that, just copying!
There are many free resources on the internet that you can use to advanced your learning if you’re unsure about any of the approaches, what produces certain outcomes, and how to implement/spot certain things.
- Hack This Site: Basic 1 Solution
- Hack This Site: Basic 2 solution
- Hack This Site: Basic 3 solution
- Hack This Site: Basic 4 solution
- Hack This Site: Basic 5 solution
- Hack This Site: Basic 6 solution
- Hack This Site: Basic 7 solution
- Hack This Site: Basic 8 solution
- Hack This Site: Basic 9 solution
- Hack This Site: Basic 10 solution
- Hack This Site: Basic 11 solution
Hack This Site: Basic 1 Solution
This test is the proclaimed “idiot test”. It really requires little effort at all. Honestly, you should need to follow a solution to figure this one out. But here it is anyway.
Inspect the page’s HTML code
Right-click anywhere on the page, and go to Inspect. This will bring up the source code of the page. You’ll see all the of the HTML code.
Goto the Element selector (top-left), and click it.
Hover over the page with the element highlighter
Go to the highlight element option. Mentioned in the previous section.
Hover over the form until it’s highlighted. See above.
When you click it, it’ll skip to where the code for this section if specified in the console panel. There, you’ll be able to find the password used to complete the level.
Locate the password in a HTML comment
And then find the HTML comment under the class “sit buffer”. If you’re struggling to find it, use the search function and type “password“.
Copy and paste the password into the input field, and then submit.
Hack This Site: Basic 2 solution
In this test we’re told that Sam has set up a script that loads the password from an encrypted text file.
This is really easy..
Note this part, it’s really significant. So, just click Submit.
It’s really that easy, no need to dig through the HTML source!
Hack This Site: Basic 3 solution
This time, Sam uploads a password file, so it’s not as simple as in the last task. So let’s open up the Inspect element again.
Inspect the form
Now, we know we’ll start by inspecting the form again. By hovering over it with the element highlighter.
Then you’ll notice that the form has a hidden input, with a value of password.php. Let’s navigate there are see if there is any information that can help.
Locate the password
And there we have it, an ill-stored password ready to be copied and pasted into the input box.
Hack This Site: Basic 4 solution
In this mission you find that Sam has put his password in a script once again, but this time it will email him automatically in case he forgets. So, lets inspect the send password button.
Then, in the inspection window, you’ll find there are two inputs in the form.
Change the email to your own
The top input contains a “to” value, which is obviously an email address. Double click on the value, and replace this with your own email address.
Once that’s set, click on the Send Password to Sam button.
The password will be emailled to the provided email address, only if it’s the registered email address used to sign up to the website.
Hack This Site: Basic 5 solution
This is exactly the same as Basic 4…
Hack This Site: Basic 6 solution
This test requires you did some decryption. But fortunately you’ve got a form that allows you to encrypt different inputs.
Encrypt a simple string of characters
Lets start by entering in a load of 0’s, so we can see how each one reacts.
Analyse the encrypted output
The encrypted string that gets returned has an obvious pattern. Add the characters index position in string, to the character.
Use this to crack the encrypted password
So we need to minus each value from the encrypted password, starting with “1-:”. But, to give “:” and other alphabet characters a value, we need to convert it to ASCII format.
Subtract the values from the ASCII values
After subtracting the values from the encrypted string using the “0 string”, we are given the following result (work this out in notepad).
Hack This Site: Basic 7 solution
In this test, Sam has put his password in an obscurely named file. He has also installed a calendar script that uses Unix commands.
Test the input form first
If you input 2000, it returns a whole bunch of calendars.
Inject your own code after it
Let’s exploit this by injecting our own commands into this! For this, we’ll need the ls command.
Why this works
The script is probably running something like “cal USERINPUT“.
Now, by injecting this command, we’re making the script run “cal USERINPUT && ls“. This is essentially two commands combined into one, with ls listing all the files in the current directory.
Locate the obscure file
We’ll go for the most obscure file here, and navigate there directly to find the password.
Hack This Site: Basic 8 solution
First of all, we know that the password is stored encrypted in the following location:
/var/www/hackthissite.org/html/missions/basic/8/
The input box takes some input, a string, and then creates a file.
Test the input form
Create a file, then view it.
Research SHTML
Notice that the URL links to a .shtml file.
Exploit SSI
That means that we can inject some server-side code! I’m no expert in SSI, so we’ll pull some info from another site.
This is what the commands look like. We can use this to execute commands too!
Try SSI with LS command
So let’s try the following command:
<!--#exec cmd="ls"-->
Escape the current directory
Now we also noticed in the first instance that we created a file, that the files were being stored in a /tmp location.
We need to escape this folder. This can be done using “../“, after the “ls” command.
<!--#exec cmd="ls ../"-->
This “../” will execute the “ls” command in the /basic/8/ folder. The folder above.
Locate obscure file
This gives us the obscure password file that we can then navigate to. Remembering not to use the /tmp folder.
Get the password
Hack This Site: Basic 9 solution
This test builds on the exact same principles as Basic 8. So, go back to basic 8 so you have the input form again!
Edit the SSI used in Basic 8
Now you need to edit the previous command slightly. Before we used:
<!--#exec cmd="ls ../"-->
This executed the “ls” command in the “/basic/8/” folder. Now we need to get up into the “/basic/” folder, then down into the “/basic/9/” folder before we execute “ls”!
<!--#exec cmd="ls ../../9/"-->
Get the password
Then we navigate to the file. Remember to change the folder to “/basic/9/“.
Hack This Site: Basic 10 solution
After picking through the HTML source for a while, it’ll become obvious that there’s little to go by. So, where are some other places that scripts can determine your authorisation?
Analyze your Cookies with Inspect
To find your cookies, try first submitting a random password, then go back. Inspect element, and go to Application tab.
You’ll see a row with name “level10_authorized” and value “no“. Set this value to “maybe” — just kidding, set it to “yes”, then click Submit.
Hack This Site: Basic 11 solution
Now this mission is touted as being harder than the others, and rightly so. When you start, you’ll notice that the song’s change whenever you refresh the page.
Figure out the artist
A simple google search will show that these are Elton John songs:
So lets search for the directory /e, for Elton John.
Follow the directories, then open the .htaccess file
We’re then lead through the letters until we get to /n. At which point there are no more files. Perhaps because the files are hidden! So lets check the .htaccess file.
Find DaAnswer
Next we browse to /DaAnswer.
We finally head over to /index.php, and submit our answer “around”.
