Other Work‎ > ‎

HackThisSite


Introduction

HackThisSite is a free training for Hackers, as well as people trying to learn HTML, and more. It pitches you against several missions or challenges, which you have to solve. Here is a link to my profile on HTS. First of all create a user account at this site to continue. I will slowly add Tutorials to those missions I have already completed. Please use Mozilla Firefox for the missions. Even Chrome has some problems with some missions. Let us start with Basic Missions. 

Basic Missions

Basic Missions are the thing to start with. There are 10 different levels available and to pass through them you would have to learn quite a lot(and take my word on it, it is really a wonderful experience)

Basic Mission 1

This is what you see when you login and click on Basic Mission 1:

Basic Mission 1

Level 1(the idiot test)

This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue.
 

With a note that warns you that if you have no idea what this is, you must Learn HTML. I too would advice you to learn it. Youmay probably solve some but sooner or later you will need to Learn HTML. So we see a blank box begging for password, and we don't know the password, as yet. What would you do? Let us check the source of the webpage. (Available under View>>Source in IE, and Ctrl+U in Firefox/Chrome). It gives us an absurd listing. What should we do? Let us search for the word "password". (Use Ctrl+F) Do you see something. Now that you have got it, enter the password, to earn your first points.


Basic Mission 2

Basic Mission 2 takes it a little higher than just viewing the code. 

Basic Mission 2

Network Security Sam set up a password protection script.
 He made it load the real password from an unencrypted text file
 and compare it to the password the user enters. 
However, he neglected to upload the password file...


Basic Mission 3


Baic Mission 3

This time Network Security Sam remembered 
to upload the password file, but there
 were deeper problems than that.

All right, so he has uploaded the text file, too this time. And the computer will check against the list of passwords in that file. So let us take a look at the source code, now. highlight below to see what is of our use. Or search for it in the source, yourself.

Code

<form action="/missions/basic/3/index.php" method="post"> 
<input type="hidden" name="file" value="password.php"> 
<input type="password" name="password"><br /><br /> 
<input type="submit" value="submit"></form>

So there is a hidden field involved. Now, what exactly is a hidden field. A hidden field in a form is just that-hidden. It remains hidden from the viewer but is viewable in the source. So we see that the field has a value of "password.php". We were earlier told that he has "remembered to upload the password file". So maybe this is the password file. try opening password.php, by appending password.php in the address box. Viola we see a password. hit back, and you are ready to roll to the next mission.

Basic Mission 4

Basic Mission 4

This time Sam hardcoded the password into the script. However, the password is 
long and complex, and Sam is often forgetful. So he wrote a script that would
 email his password to him automatically in case he forgot. Here is the script:


So Sam, the admin, has left a loophole in somehow. He has written the password in the script. but in case he forgot the password, he has made another script that mails him the password in case he forgets it. And we get a link to that script. try clicking on the "Send Password To Sam" button. We get a message telling us that "Password reminder successfully sent." Take a look at the address bar. the name of the script appears to be "level4.php". Let us view the code and search for "level4.php":

Code

<form action="/missions/basic/4/level4.php" method="post"> 
<input type="hidden" name="to" value="webmaster@hulla-balloo.com"><input type="submit" value="Send password to Sam">
</form></center><br /><br />
<center><b>Password:</b><br />

So Sam has not learned anything from the previous mission on hidden fields. He has gone a step ahead and used another hidden field that stores the value of his email-id. the name of this field is to. Now let us run the script once again, but change the 'to' field. How do we do that. Simple. Save the page on your PC, and  edit it. Use File->Save As in IE, or Mozzila, and then edit the saved page in Notepad. Search for the web address we had earlier noted: webmaster@hulla-bulla.net. Change it to anything you like. And then run the page from an open window of the browser that has logged in to your HTS account. Then click on Get Password For Sam. You will get a password, enter it and we are done.


Basic Mission 5

So we have reached the level 5. So far we have learned a lot of HTML, and Sam continues as our administrator. The mission says:

Basic Mission 4

Sam has gotten wise to all the people who wrote their 
own forms to get the password. Rather than actually learn the
 password, he decided to make his email program
 a little more secure.
So Sam did not write his own program. Let us test it. when we click on the button, we see that the password reminder was successfully sent. Where did it go? Let us check the source code again.

Code

<form action="/missions/basic/5/level5.php" method="post">
<input type="hidden" name="to" value="webmaster@hulla-balloo.com">
<input type="submit" value="Send password to Sam"></form></center><br /><br /><center><b>Password:</b>
<br /> <form action="/missions/basic/5/index.php" method="post">
<input type="password" name="password"><br /><br /> 
<input type="submit" value="submit"></form>
So we see two forms, the first one sends an email to the old address, and the second checks the password we enter. the to field is yet again hidden. but we know that the password reminder script is level5.php. Let us try to change the to field. How? As we did previously, by saving the page, and editing it. We try the old way and get an error:

Referrer Error: Please Check Referer (Note: This is not a bug)

Here we get a referer errror, which means that the code checks from where the page comes. So this is not the way. Let us think how can we manipulate th to field. Let us use java script injection. What is that. Just wait and enter the following in your browser's address bar and hit enter:
javascript:alert(document.forms[0].to.value)

Any javascript code can be run that way: javascript:code. So what we are doing is seeing the value of to filed in the 1st form. And the alert function pops up a window. The result is webmaster@hulla-bulla.net, getting in a dialogue box. Now let us change the value of to field.

javascript:alert( document.forms[0].to.value = “abhay@gmail.com” )

What we now see is a password. Go ahead and use it in the form, and click on submit. Viola. Done with No.5

Comments