HTS Realistic 3: Re-Overwrite the Index

Peace Poetry: HACKED: A little girl made a website to put poetry related to peace and understanding. American fascists have hacked this website replacing it with Hitler-esque propaganda. Can you repair the website?

In Hack This Site, Realistic mission 3, you have to recover a hacked poetry-site. Only basic knowledge is required, although it could be difficult to come up with the ideas.

From: PeacePoetry

Message: I run this website where people can read and submit peace-related poetry. I am doing this out of good will towards others, and I don’t see why I would be making enemies out of this, but some real asshole hacked my website posting a bunch of ignorant aggressive propaganda on the front page. And I made that website a while ago, and I no longer have access to it. Do you think you can hack in and change it back? Please? Oh, and bonus points if you message me the name of the bastard who did this!
My website can be found here.

You should have no problems understanding that the landing page is hacked. The first thing you do is of course to check the source code. This part is a bit tricky and unrealistic: look through the source very carefully. You should notice that it ends in a lot of linebreaks, and an HTML-comment on the very last line. It reads:

<!--Note to the webmasterThis website has been hacked, but not totally destroyed. The old website is still up. I simply copied the old index.html file to oldindex.html and remade this one. Sorry about the inconvenience.-->

A nice hacker indeed. Now go to oldindex.html in that directory, and you will see the site. Browse it a bit until you are familiar with how it works.

Now, we have to make some assumptions about the system. From the wording “Poems will be stored online immediately”, we can assume that the poems are saved in separate files. Thus, the filename is probably the title of the file. The file that we want to overwrite is index.html. Try to submit a poem with that title — unfortunately, it won’t work.

The reason is that the file is stored in another directory. (If it was stored in the current directory, it would get quite messy after a while, and the webmaster is a girl.) This means that we want to save the file in the directory that is below the one that it would originally be stored in.

How to save it in another directory? Well, you should know about directory transversal from Basic Web 9 — “..” means “up one directory”. Therefore, try to submit a poem called ../index.html.

Sorry, you have the right idea how to beat the level, but the text you entered did not match the contents of the old website. You have to put the old website up, meaning putting up the old index.html

Just copy the source-code of oldindex.html and let that be the text of the poem. Mission accomplished.

Maybe Related?

Posted March 4, 2007 in Guides » Hack This Site.

27 Comments »

  1. [...] Original post by Tim and software by Elliott Back   [...]

    Pingback by Active Directory Tool » HTS Realistic 3: Re-Overwrite the Index — March 4, 2007 @ 10:36 pm

  2. Hello

    I was wondering why that worked.

    I understand what to do, but not how it works, what i need to know.

    Thank you for obliging to my request if you due and Goodbye

    Comment by Ben — March 19, 2007 @ 9:14 pm

  3. Ben, the file is normally saved in a directory after the main directory, with the title as the filename. However, with our title beginning in “../”, it makes it go up one directory. “..” always mean going up one directory. The whole title, “../index.html”, saves the poem as “index.html” in the directory above. index.html is the page that was “hacked”. Thus, the hacked page is overwritten.

    Comment by Tim — March 20, 2007 @ 2:43 pm

  4. um were does it say
    in the script.
    plz help me out im noob

    Comment by lach — May 9, 2007 @ 8:10 pm

  5. Comment by lach — May 9, 2007 @ 8:10 pm

  6. it sais thant your poem was added then wat do i do

    Comment by lach — May 9, 2007 @ 8:13 pm

  7. lach: What did you call the poem, and what text did you put in it?

    Comment by Tim — May 9, 2007 @ 10:58 pm

  8. I put the ../index.html as the title of the poem, and I put http://www.hackthissite.org/missions/realistic/3/oldindex.html as the text of the poem, but the same error keeps coming up…

    Comment by Shadow — May 19, 2007 @ 5:40 pm

  9. Shadow, you go to http://www.hackthissite.org/missions/realistic/3/oldindex.html

    2) right click, view source
    3) select all, copy
    4) go to add a poem, ../index.html as the title of the poem
    5) past the source on the text part
    6) done :D

    Comment by Anonymous — May 27, 2007 @ 2:38 am

  10. shadow, use the source of the oldindex.html as the text of the poem

    Comment by h4ph4z4rd — May 27, 2007 @ 2:39 am

  11. Could you put tutorial how to pass realistic 4 ?

    Comment by Matija — June 3, 2007 @ 8:56 am

  12. Matija, sure. As soon as I find the time.

    Comment by Tim — June 3, 2007 @ 5:01 pm

  13. OK :D. I pass that level but on wrong way. Somebody say me emails but i must know how to pass that.

    Comment by Matija — June 5, 2007 @ 11:45 am

  14. Yea, i was just wondering, how do you get the bonus points for this mission? i have no clue even where to start…

    Comment by Pyro — June 12, 2007 @ 6:43 am

  15. Need a tutorial on realistic 4, I’m sick of explaining it constantly to everyone. It deals with SQL Injection.

    Comment by Danny — June 15, 2007 @ 11:16 pm

  16. can somebody help me with realistic mission 8.

    Comment by poki — June 20, 2007 @ 1:00 pm

  17. I cant figure it out. I put in the ../index.html as the title and as the poem I put in oldindex.html and it still says the same thing as if I left the poem blank. can someone help me?

    Comment by Help! yes I need help with everythign — July 1, 2007 @ 6:58 am

  18. Remember to put the source code of oldindex.html, not just the text “oldindex.html”.

    Comment by Tim — July 7, 2007 @ 3:47 pm

  19. “>test

    Comment by ">test — July 8, 2007 @ 4:45 pm

  20. The guide for Realistic 4 is now up!

    Comment by Tim — July 17, 2007 @ 10:12 pm

  21. Hey there,

    I do what you said, I put ..index.html as the title of the poem , and the source code of oldindex.html as the poem text, but it just says

    “Your poem was successfully added. Thank you for your contributions”

    What am I doing wrong?

    Thanks,

    -Anonymous

    Comment by Anon — November 18, 2007 @ 6:23 pm

  22. Programming Tutorials…

    I couldn’t understand some parts of this article, but it sounds interesting…

    Trackback by Programming Tutorials — November 25, 2007 @ 6:11 am

  23. Annonymous, think about the url. Slashes seperate the different levels in the directory, right? You need a slash between your .. and your index.html, like this:
    ../index.html

    Comment by me — December 17, 2007 @ 9:15 pm

  24. hello,
    thanks for your time, it’s very well done, do you have some idea to get the bonus points on this mission??

    Comment by steev — January 4, 2008 @ 3:06 pm

  25. Does this mean that if someone has a website and uses this concept, it could be hacked when someone uses
    ../oldindex.html (or whatever directory it is in) and then scripts their own page in the content box?

    Would this be how the hacker changed her page in the first place?

    Comment by redfishbluefish1 — January 9, 2008 @ 5:41 am

  26. j

    Comment by Anonymous — March 9, 2008 @ 4:42 pm

  27. omg thank you

    Comment by hi — August 15, 2008 @ 4:28 am

RSS feed for comments on this post. TrackBack URI

Leave a comment

FireStats iconAnvänder FireStats