HackQuest: JavaScript: I am a JavaScript. Abuse me.

I recently stumbled upon HackQuest, a legal simulation of hacking/cracking, alike to the previously half-covered Hack This Site and Hellbound Hackers. The challenges look nice, although their unnecessary use of Flash to start missions is a bit irritating. On a side-note, this is the first semi-hacking site I’ve seen that tells some kind of story. Anyway, I decided to help others, who might get stuck.

Name: I am a JavaScript. Abuse me.
Location: Sydney, Australia
Target: Bane Corp
Those guys invented parts of the trusted computing hardware, and are still an integral part of the MicroWorld family. We need to get some data of their servers.

You are met by a form containing nothing but one input field and a submit button. Entering a bogus password gives a pop-up: “Dooh, try again!”. The pop-up is a JavaScript alert, which indicates that the form is validated through a JavaScript. View the source code to investigate this further. Note that this challenge is contained within an iframe–make sure that you view the source of that specific frame.

38
39
40
41
42
43
44
45

            <form name="LayoutBereich1FORM" action="" method=
            "post">
              <input id="Eingabefeld1" type="TEXT" name=
              "Eingabefeld1" value="" size="30" maxlength="30">
              <input type="BUTTON" name="Schaltfl&auml;chen1"
              value="Enter Password" id="Schaltflaechen1"
              onclick="return PassConfirm()">
            </form>

You should be able to find the form, despite its being written in German. As you can see, submitting the form calls the PassConfirm() JavaScript function, which can also be found in the source. It is written here, with redundant spaces removed for the sake of sanity.

23
24
25
26
27
28
29
30

function PassConfirm() {
  var x=document.LayoutBereich1FORM.Eingabefeld1.value
  if (x=="thisisthepassword") {
    window.open("ok.php","_self")
  } else {
    alert("Dooh, try again!")
  }
}

Line 24 sets x as the value in the password field, and the next line checks whether it is equal to “thisisthepassword” or not, and if it is, the “ok.php” window is opened. Thus, the password is “thisisthepassword”. Click the “Rank up!” link in the upper right corner of the layout, and you are done.

Maybe Related?

Posted July 15, 2007 in Guides » HackQuest.

2 Comments »

  1. You can bypass the flash animation by clicking the number of the challenge instead of the title.

    Comment by tobbez — July 16, 2007 @ 3:06 pm

  2. Oh, I didn’t know about that. Thanks, tobbez.

    Comment by Tim — July 16, 2007 @ 5:17 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment

FireStats iconAnvänder FireStats