hack this site Javascript 1

THIS BLOG HAS A NEW HOME WITH SOLUTIONS TO MORE HTS MISSIONS.

this mission is pretty easy, it requires very little knowledge of JavaScript, all you have to do is check the page source ( under Firefox: View -> Page source or Ctrl + u), scroll down where the HTML code for  the form is, you’ll notice this interesting piece of code:

javascript-1-the-idiots-test

THE REMAINING OF THE SOLUTION IS AVAILABLE HERE.

Posted in HackThisSite | Tagged , , , , ,

hack this site basic 11

THIS BLOG HAS A NEW HOME WITH SOLUTIONS TO MORE HTS MISSIONS.

In this 11th mission we are dealing with a miss-configured music website, by appending “index.php” to the URL you get a page that asks you to enter the correct password that we don’t have … yet.

One thing that you may have noticed is that whenever you refresh the page you get a new song name, this may seem random but it’s not and with a little bit of googling you’ll notice that these songs were performed by elton john. Now that we know that, we have to find how the music collection is organized on the server, after many tries I found that the songs are organized in letter by letter directories, trying all the different possibilities is a waste of time because we already know where to look for our password, it’s in http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/ but when you get there, this directory may seem empty, but actually it’s not, there is a hidden file in it and it’s named “.htaccess“, this file allows a directory level configuration of the web server (In this case Apache).  When you open the .htaccess file you’ll see this interesting instruction:
IndexIgnore DaAnswer.* .htaccess

this tells to the web server to exclude these two files from the directory listing. Now we know that our password in the “DaAnswer” file, when you open the file you’ll get something like

The answer is easy! Just look a little harder.

THE REMAINING OF THE SOLUTION IS AVAILABLE HERE.

Posted in HackThisSite | Tagged , , , , , , | 8 Comments

hack this site basic 10

THIS BLOG HAS A NEW HOME WITH SOLUTIONS TO MORE HTS MISSIONS.

For this 10th basic mission, Sam has used a more “hidden” approach to authenticate users. since viewing the source is a dead end, I tried another approach which is to view the HTTP request headers using Live HTTP headers which is another, very useful firefox addon (grab it here), I could also have used Tamper data for that. Anyway, after monitoring the headers I’ve found an insteresting thing as shown here:

Live HTTP headers

Live HTTP headers

As you can see, it’s an interesting information that we got here, we know that Sam is using a cookies based authentication method this time. We know this, now what?.

THE REMAINING OF THE SOLUTION IS AVAILABLE HERE.

Posted in HackThisSite | Tagged , , , , , | 4 Comments

Hack This Site basic 9

THIS BLOG HAS A NEW HOME WITH SOLUTIONS TO MORE HTS MISSIONS.

To solve this challenge you must know Directory traversal, SSI and *nix directory structure. In this mission Sam screwed up somewhere when he was trying to limit the use of SSI to the level 8 only, this is a big spoiler on how you should proceed to achieve this mission, in other words you have to use Sam’s daughter script once again to find the hidden file containing the password.

THE REMAINING OF THE SOLUTION IS AVAILABLE HERE.

Posted in HackThisSite | Tagged , , , , , , , , | 1 Comment