These are the walkthroughs and guides for HackThisSite.org. I've tried to avoid spoilers as much as I could, but by no means read this before you've tried for yourself.
The fifth basic web mission is very different from the prior missions (except maybe in one way the second mission) in that it requires an extensive use of logic. Actually this mission doesn’t have anything to do with hacking, but it teaches a very valuable lesson, which we will come to later.
By looking at the source code, we can only see the two forms. Nothing interesting. The next step is to try out the password encryption form. Type anything, and you can see that it does work. It shows you the encrypted string. Logically, the task is simply to construct a string that is encrypted to the code you were given. I got dg7847>l. First, try with something simple:
a -> a
a gives a. Seems simple, doesn’t it?
aaaaaaaa -> abcdefgh bbbbbbbb -> bcdefghi
This is interesting. The same character is converted to different characters depending on what position in the string it has. If we think about it, though, it isn’t complex at all: In place 0 (the first), the letter is moved 0 steps in the alphabet. In place 1, it is moved 1 step, and so on. The password, though, contained a character other than a-z, >. How can we get it? Let’s check what happens if the alphabet isn’t enough:
wwwwwwww -> wxyz{|}~
That gives it all away: everyone should know about the ASCII table. After x, y, z comes — that’s right — {, |, } and ~. Now, we only have to find the correct characters. Every character should be counted backwards a number of steps equal to its position in the encrypted string. Start with the first character. dg7847>l:
d -> d f -> g 5 -> 7 5 -> 8 0 -> 4 2 -> 7 8 -> > e -> l
The decrypted string is therefore df55028e. Check it first to check if you have to adjust it, and then use it to continue to the next mission. As I said before, this mission teaches a very valuable lesson: never, ever use a simple encryption algorithm. The best would be to use an irreversible algorithm, such as MD5 or SHA-1. It is even better if you manage to hide the algorithm, although security through obscurity should never be recommended. Of course, the best is to never let the encrybted password leak out.movie porn animemasterbation free moviesglory the movienudes moviemovies free bbw pornsex full length moviesmovies of stripping girlssex from scenes movies Map
This is the fifth basic web mission, and Network Security Sam apparently “secured” his email script. After a quick look at the source code, we see that the code visible to us is exactly the same as in the last mission. However, if we try the same hack as in the fourth mission, writing a form of our own, we can see that Sam’s new script checks the referer, i.e. the page that you came from. If it is not equal to the page that you are supposed to come from, you get an error.
This leaves an interesting option. Remember that hidden field that we changed?
We can still change the value of to, but it will require a more sophisticated method: Javascript injection. Did you know that you can execute arbitrary Javascript code on any page? Since Javascript is always executed client-side, this does not often create vulnerabilities. It can, however, throw arrogant network administrators such as Sam off. To execute Javascript code on a page, type this in the location bar (the input field where the URL shows):
javascript:code
Replace code with any Javascript code. In this mission, we want to alter the value of an element’s attribute. This is where the HTML DOM comes in handy. By using the document object in Javascript, we can access every single element in the document.
A form is accessed by document.forms[n], where n is the number of the form. If you count the forms in the source code, you can see that the form we want is the second. Number one, that is — remember that you always start counting on zero. We want to access the to element’s attribute value, so we’ll simply write document.forms[0].to.value. Let’s check if it works by putting the value in an alert box. Type:
javascript:alert(document.forms[0].to.value)
An alert box with the text “webmaster@hulla-balloo.com” (the value of to) should popup. If not, check so that you haven’t disabled Javascript. Instead of merely reading the value of to, let’s alter it:
In the fourth basic web mission, Network Security Sam apparently hasn’t learnt anything from his prior mistake. In the third basic web mission, we extracted information from hidden form fields and thereby found out the name of a password file. The procedure is essentially the same in this mission. As usually, check the source code first. These snipets have been formated for easier reading:
As you can see, this level contains two forms. The upper one is the “Send password to Sam” button, and the lower one is the password field. You should already have noticed the highly suspicious hidden field in the upper form. Its purpose is obvious: it supplies the email address that the password will be emailed to. From merely knowing this address, you cannot achieve anything (except if you managed to hack the hulla-balloo.com server). Therefore, you should alter the field to contain your email address instead of Sam’s.
In order to enter your own information in to, the hidden field, you can create a local copy of the form. In your modified version, you can either change webmaster@hulla-balloo.com to your own email address, or change the type="hidden" to type="text". The prior changes the email address automatically, while the latter allows you to enter another address.
If you are pedantic and want your local version to validate, use the following code.
Ok, so in the third basic web mission, our old friend Network Security Sam remembered to upload the password file. As usually, though, he forgot something essential. Let’s look at the source:
Ooh, he’s got a hidden field in there. Those are always exciting, mainly because of a common misconception. Many uneducated (or learning) webmasters seem to believe that hidden fields are impossible to find. This is certainly not the case. They are just that — hidden. Anyone could find them (and possibly change them), if they just took some time. A form’s hidden fields are revealed in the source code. Here is a field that Naive Network Security Sam hoped to remain hidden:
Anyone can figure out what this field is for. Yep, that’’s right: the password file. Now we’ll just check the content of the password file, and after that, we’ll have the password. Thus, you must only go to www.hackthissite.org/missions/basic/3/password.txt and copy the content. Just enter that password, and you shall be granted access to the fourth mission.
Now you might ask, how could Sam prevent this? There are three simple ways:
Hide the content of password.php. Password.php could assign the password to a variable, and then be require()ed from the main password-checking script.
Hard-code the filename. This way, the user cannot intervene.
Hard-code the password. This is, though less managable, perhaps even better, since there otherwise could be problems if the password file could not be read for some reason.
This is the second mission in the Basic Web category. It is a significant step up from the first mission, where only the knowledge of a very basic technique was required. Here, you need to think logically. Let’s approach the problem in the same way as in the previous mission — check the source code. In the relevant code area, which you can find by searching for a string present in the mission paragraph (for instance “Sam”) with Ctrl F, you find only this:
What we see here is a simple HTML form, containing a password field and a submit button. Nothing interesting, that is. The only way we can continue here is by trying out the form and following wherever it leads: Just input some random password, e.g. “test”. You will, probably to your surprise, not be faced by a page saying “incorrect password”, but a page saying:
“Warning: fopen(password.php) [function.fopen]: failed to open stream: No such file or directory in /var/www/hackthissite.org/html/missions/basic/3/index.php on line 35″
First off, this is apparently an unintentional (from Network Security Sam’s point of view) error. Error messages are probably the by far most common security leak, and are often likely to expose vulnerabilities. This error message reveals first that the file is a PHP file (although this could be faked, it is not very likely), and second, more importantly, that there was a file which could not be opened. The mission designers left us a not-so-subtle hint (“However, he neglected to upload the password file”) which tells us what file was not uploaded: the password file.
Now for the logic thinking: Assuming that the password file existed, what happen? Probably, the password that you inputed would be matched with the one in the password file, and if they matched, you would be granted access to the next page. Now if there is no password file, what would the user input be matched with? Yep, you guessed it — nothing. Try just clicking the submit button without touching the password file. Mission complete.
The first mission in the Basic Web category, also known as the idiot test, is certainly not a very realistic mission. It isn’t supposed to, either — It is supposed to teach you the basics needed to solve these missions. In these situations, you should always begin with looking at the source code. If you are using Firefox (which I definitely recommend), right-click and choose View source. In this level, the solution is actually written there:
Använder FireStats