Hack This Site basic 9

To solve this challenge you must know Directory traversal, SSI and *nix directory structure. In this mission Sam screwed up somewhere when he was trying to limit the use of SSI to the level 8 only, this is a big spoiler on how you should proceed to achieve this mission, in other words you have to use Sam’s daughter script once again to find the hidden file containing the password.

Back in the previous mission, we know that the file that is supposed to containt our name is stored in this directory “/var/www/hackthissite.org/html/missions/basic/8/tmp/” and we got the directory listing of “/var/www/hackthissite.org/html/missions/basic/8/” with this command <!–#exec cmd=”ls ..”–> where the two dots mean: one level up. What we need to do is to climb another level up (/var/www/hackthissite.org/html/missions/basic/) and list the content of the folder named “9″ (/var/www/hackthissite.org/html/missions/basic/9/)  where the file containing the password is, the SSI command will be “<!–#exec cmd=”ls ../../9/”–>” once you submit this, you will get the name of the file containing the password. Once done, append it to this address “http://www.hackthissite.org/html/missions/basic/9/” (ex: http://www.hackthissite.org/html/missions/basic/9/p91e283zc3.php) and navigate to it, here you got your password .

Hack This Site Basic 8

It’s been a while since I haven’t added any article to my blog, so here I’m back again with the solution of the eighth  basic mission of HTS challenges. To solve This mission you need to know SSI (Server Side Includes) which is dynamic HTML executed by the server.

This time we’re gonna use Sam’s young daughter script to help us solving this challenge, she wrote a PHP script that stores the user name in a file within this directory  “/var/www/hackthissite.org/html/missions/basic/8/tmp/” but the directory that we are intrested in is just one level up, where the file containing the password resides. Now we have to make Sam’s daughter script include the file listing of the directory that contains the password file, and to do this we have to use SSI, and make the server call the “ls” linux command, to do this enter as your name “<!–#exec cmd=”ls ..” –>” (without the quotes, double hyphen near the exlamation mark and the greater than sign), after this you will get the name of the file containing the password, as for me it was “au12ha39vc.php”

Now all you have to do is to navigate to this file with your browser http://www.hackthissite.org/missions/basic/8/au12ha39vc.php, and there it is your password, enter it, Congratz you have completed the eighth mission.

Hack This Site Basic 7

Hello and welcome to the solution of the 7th basic mission of HTS, this one is fairly easy if you have already used Linux (which I highly recommend over windows or mac), since the key to achieve this mission relays on your knowledge of basic UNIX commands and also on combining commands.

Now back to our mission, in this one, network security Sam practices security through the ignorance of hackers. as for protecting his password, he has hidden it in a script with an obscure file name, but in “unrelated” news he has made a script that returns the output of the Linux command “cal“, and what this command does, is that it displays a simple calendar. This is where combining commands comes in handy.

Indeed, by appending the combining command “&&” and the UNIX command “ls” we can do a full listing of the current directory, this is the output that I got (after entering “&& ls”):

        August 2008
Mon Tue Wed Thu Fri Sat Sun
                  1   2   3
  4   5   6   7   8   9  10
 11  12  13  14  15  16  17
 18  19  20  21  22  23  24
 25  26  27  28  29  30  31

.
..

level7.php
cal.pl
.htaccess
k1kh31b1n55h.php
index.php

Got it! the file that contains our password is “k1kh31b1n55h.php” now we must view it’s content, once done, just enter the password and you’ll have access to the 8th mission of HTS.

Hack This Site Basic 6

With this mission things are gettin harder cause now network security sam is using an encryption algorithme, and to bypass his brand new security measure we have to decipher the encrypted password. to help us in our task we have a working cipherer make thing easier.

the first thing that some of you may notice is that they have said that “the encryption system is publically available”, we suppose that it’s a well known one, indeed, cause the enryption algorithme is called “caesar” (for more informations about this one, check wikipedia’s entry) but with a minor change, cause the encryption key is variable, it is the place number that a letter occupies within our string, Ithink that an example would clafiry things better:

With the original caesar cipher and an encryption key of 3:

original string : abcd123
encrypted string : defg456

With the one used in HTS:

original string : abcd123
encrypted string :aceg579

How ?

Since “a” was in the 1st place the key is “0″ which means : no subtitution.
And “b” which was in the 2nd place the key is “1″ which means: “b” moved by +1 = “c”.
finally “c” which was in the 3rd place, the key is “2″  which means: “c” moved by +2 = “e”.

and so on for the other letters and numbers.

Decoding the encrypted password “d4e98i6>“:

“d” remains “d ” (remember the key is zero)
“4″ moved by “-1″ will give a “3″
“e” moved by “-2″ will give a “c”
“9″ moved by “-3″ will give a “6″
“8″ moved by “-4″ will give a “4″
“i” moved by “-5″ will give a “d”
“6″ moved by “-6″ will give a “0″
“>” moved by “-7″ will give a “7″ (Check ASCII’s Wikipedia entry)

the  Decrypted password is “d3c64d07“

Once again we have defeated Sam at his own game. after deciphring the encrypted password, all we have to do now is to enter it and welcome to the 7th mission.