I’ll be going through the HackThisSite basic missions in this walk-through/experience. I’ll be completing all missions through the Firefox web browser.
1. The first basic mission is beyond easy. Simply inspect the element of the page and when you get near the password form html code there is a comment containing the password.
2. This one may be even easier. Since “Network Sam” forgot to upload the password file there is nothing for the password to be compared to. The default is apparently set to automatically authenticate any password, therefore just click submit and your through.
3. Now there is an actual password however in the HTML code near the password form you can see the “password.php” file which contains the unencrypted password text. In the URL add “/password.php”. There you will see the password in plain text.
4. Here we see that Sam has a script that will email him the password if he were to forget. Luckily for us we can simply change the html code for the “send password to Sam” button to send the password to our email address instead.
5. Can be solved the same way as level 4
6. Simple encryption, first let’s see what we get when we put “abcdefg” into the encrypter… we get “acegikmo” so we notice that ‘a’ = ‘a’ and ‘b’ = ‘c’ and ‘c’ =’e’ and you can hopefully see the pattern here. First character is the same, second character is the next character on the ASCII table, third character is 2characters over on the ASCII table and so on… Therefore we will reverse encrypt (decrypt) the recovered password. ‘a’=‘a’…’d’=’c’…’9’=’7’…’;’=’8’…’:’=’6’…’7’=’2’…’g’=’a’…’l’=’e’
therefore we get “ac7862ae”
7. So, in this scenario we know there is a file saved in this very directory as well as the fact that this script is ran from a UNIX command. We know Sam has some issues and we know this script is in Perl so let’s see if we can run some commands through this form. We insert “;ls” to see if we can use the “;” to end a line and then “ls” to display files in this directory. You probably shouldn’t be surprised that this worked and we can see the obscure file name which we just add to the end of the URL instead of the “/cal.pl” to reveal the password.
8. Server Side Includes (SSI) Injection is used here to exploit the vulnerability created by Sam’s daughter. What are SSIs? Well they are used to feet an HTML page with dynamic contents. They can also be used to execute some actions before the current page is loaded or while the page is being visualized. This is because the web server analyzes SSI before supplying the page to the user. The attack in this case works by injecting scripts in HTML pages through the user input field. A quick way to determine if the application is vulnerable or if it is validating input data is by inserting characters that are used in SSI directives, such as: “< # = / . “ – > and [a-zA-Z0-9]”
Now that we know what we will be doing we will put the SSI into the “Enter your name” form and the server will analyze the SSI and display our desired result. We know this server is running a Linux OS therefore we will use Linux commands.
We notice that when we use the script it brings us to basic/8/tmp/… and we want to see the list of directories in basic/8/ therefore, we must list the files back one directory. So we will go back one by using “..” and list files using “ls”. We then see where the password file is, so we take that file location and add it to the url and the password is revealed in plain text.
<!–#exec cmd=”ls ..” –>
9. Now this level is solvable by simply using SSI injection similarly to how we solved level 8. But there is no form? What we can do is use the form from level 8! So we will want to go back one directory like we did in level 8 but then list the files in the “9” directory. To do this we can write:
<!–#exec cmd=”ls ../../9”–>
After we get the php file name we simply add it to the URL like usual and find the password. (Be sure to change the url to search directory ‘9’ and not ‘8’!
placing the above command in the URL bar we will get a popup of the cookies details
level10_authorized=no; _pk_ref.1.1039=%5B%22%22%2C%22%22%2C1524863824%2C%22https%3A%2F%2Fwww.google.com%2F%22%5D; PHPSESSID=ia3hocfpti05gdh8qdtr9rgip7; _pk_id.1.1039=9f9c981d4c0b1752.1524863824.1.1524864945.1524863824.; _pk_ses.1.1039=*
That should do the trick. Now hit the back button to and again enter whatever you’d like into the password field. You should now be granted authorization.
11. Mission 11, alright I don’t think anyone born in the past two decades will know off the bat that when refreshing the page, a new Elton John song title is displayed. So, there’s the big hint, a new song name from Elton John will display on each refresh. Now we can see that directory listening is active by simply observing the URL. Now what I don’t understand is who the heck would come up with the idea to test for directories being named ‘a’-‘z’ Well apparently someone thought of it. By doing so you will find out that the directory /e/ exists. You can then see the sub directories ‘l’ ‘t’ ‘o’ and ‘n’. When you get to the last directory it’s a dead end. Luckily for us some bozo left “.htaccess” accessible. This leaves the site very vulnerable. Insert “.htaccess” to the url and you will see the directory “DaAnswer” let’s go there. Just to torture you I won’t tell you the answer but I promise you it is clear as day when you go to this directory. Now once you think you have the answer, where the heck do you put it? Well after messing around a bit you can discover good old index.php. Head over there and you will see an input form.
That’s all for the basic missions. These were interesting to test your ability to think like a hacker. Although the actual “hacking” was sort of sub-par the experience gained gives a solid understanding of what problems could arise from bad configs.