hack this site basic 11

In this 11th mission we are dealing with a miss configured music website, by appending “index.php” to the URL you get a page that asks you to enter the correct password that we don’t have … yet.

One thing that you may have noticed is that whenever you refresh the page you get a new song name, this may seem random but it’s not and with a little bit of googling you’ll notice that these songs were performed by elton john. Now that we know that, we have to find how the music collection is organized on the server, after many tries I found that the songs are organized in letter by letter directories, trying all the different possibilities is a waste of time because we already know where to look for our password, it’s in http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/ but when you get there, this directory may seem empty, but actually it’s not, there is a hidden file in it and it’s named “.htaccess“, this file allows a directory level configuration of the web server (In this case Apache).  When you open the .htaccess file you’ll see this interesting instruction:
IndexIgnore DaAnswer.* .htaccess

this tells to the web server to exclude these two files from the directory listing. Now we know that our password in the “DaAnswer” file, when you open the file you’ll get something like

The answer is easy! Just look a little harder.

You have to take it literally, cause in this case the answer is “easy” (without the quotes), now go to the index.php, submit your anwser and the “go on” link will appear, you have completed the 11th basic mission.

Hack This Site basic 9

To solve this challenge you must know Directory traversal, SSI and *nix directory structure. In this mission Sam screwed up somewhere when he was trying to limit the use of SSI to the level 8 only, this is a big spoiler on how you should proceed to achieve this mission, in other words you have to use Sam’s daughter script once again to find the hidden file containing the password.

Back in the previous mission, we know that the file that is supposed to containt our name is stored in this directory “/var/www/hackthissite.org/html/missions/basic/8/tmp/” and we got the directory listing of “/var/www/hackthissite.org/html/missions/basic/8/” with this command <!–#exec cmd=”ls ..”–> where the two dots mean: one level up. What we need to do is to climb another level up (/var/www/hackthissite.org/html/missions/basic/) and list the content of the folder named “9″ (/var/www/hackthissite.org/html/missions/basic/9/)  where the file containing the password is, the SSI command will be “<!–#exec cmd=”ls ../../9/”–>” once you submit this, you will get the name of the file containing the password. Once done, append it to this address “http://www.hackthissite.org/html/missions/basic/9/” (ex: http://www.hackthissite.org/html/missions/basic/9/p91e283zc3.php) and navigate to it, here you got your password .

Hack This Site Basic 8

It’s been a while since I haven’t added any article to my blog, so here I’m back again with the solution of the eighth  basic mission of HTS challenges. To solve This mission you need to know SSI (Server Side Includes) which is dynamic HTML executed by the server.

This time we’re gonna use Sam’s young daughter script to help us solving this challenge, she wrote a PHP script that stores the user name in a file within this directory  “/var/www/hackthissite.org/html/missions/basic/8/tmp/” but the directory that we are intrested in is just one level up, where the file containing the password resides. Now we have to make Sam’s daughter script include the file listing of the directory that contains the password file, and to do this we have to use SSI, and make the server call the “ls” linux command, to do this enter as your name “<!–#exec cmd=”ls ..” –>” (without the quotes, double hyphen near the exlamation mark and the greater than sign), after this you will get the name of the file containing the password, as for me it was “au12ha39vc.php”

Now all you have to do is to navigate to this file with your browser http://www.hackthissite.org/missions/basic/8/au12ha39vc.php, and there it is your password, enter it, Congratz you have completed the eighth mission.

Hack This Site Basic 7

Hello and welcome to the solution of the 7th basic mission of HTS, this one is fairly easy if you have already used Linux (which I highly recommend over windows or mac), since the key to achieve this mission relays on your knowledge of basic UNIX commands and also on combining commands.

Now back to our mission, in this one, network security Sam practices security through the ignorance of hackers. as for protecting his password, he has hidden it in a script with an obscure file name, but in “unrelated” news he has made a script that returns the output of the Linux command “cal“, and what this command does, is that it displays a simple calendar. This is where combining commands comes in handy.

Indeed, by appending the combining command “&&” and the UNIX command “ls” we can do a full listing of the current directory, this is the output that I got (after entering “&& ls”):

        August 2008
Mon Tue Wed Thu Fri Sat Sun
                  1   2   3
  4   5   6   7   8   9  10
 11  12  13  14  15  16  17
 18  19  20  21  22  23  24
 25  26  27  28  29  30  31

.
..

level7.php
cal.pl
.htaccess
k1kh31b1n55h.php
index.php

Got it! the file that contains our password is “k1kh31b1n55h.php” now we must view it’s content, once done, just enter the password and you’ll have access to the 8th mission of HTS.