Please visit "Hack This Site" for further information.
The "Hack This Site" helps improve your penetration testing. The requirements include: HTML, common sense, email address, Apache, ASCII, and JavaScript. Part 2 is from level 6 onwards.
Network Security Sam has encrypted his password. The encryption system is publically available and can be accessed with this form |Form Box| You have recovered his encrypted password. It is c:94jgj7. Decrypt the password to advance to the next level : | Answer Form |
- Try to put
11111on the encryption system|form box|. The encryption result is12345.
- For every string that we put here, the system will convert it according to its value in ASCII table. Please have a look at ASCII Table. To put it simply or what everyone has been saying:
The first one will be decremented by 0.
The second will be decremented by 1.
The third will be decremented by 2 and so on.
| Character | ASCII value | New ASCII | Corresponds to |
|---|---|---|---|
| c | 99 | 99-0 = 99 | remains c |
| : | 58 | 58-1 = 57 | 9 |
| 9 | 57 | 57-2 = 55 | 7 |
| 4 | 52 | 52-3 = 49 | 1 |
| j | 106 | 106-4 = 102 | f |
| g | 103 | 103-5 = 98 | b |
| j | 106 | 106-6 =100 | d |
| 7 | 55 | 55-7 =48 | 0 |
- By following that logic, we get the result of
c971fbd0. Write it on the|Answer Form|.
- Hashing: Changing the encryption key dynamically.
- Salting: Adding randomness to make it harder to break.
This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory. In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script: Enter the year you wish to view and hit 'view'.
- The web app is using a script (Perl) that includes number the user input and shows a calendar for the specific year on the website. The command "is cal -y" (Year). We exploit this by typing
;lson theview form box(command injection).
- We found
k1kh31b1n55h.phpand placed it on the web browser search page (Just put it at the bank of the link). Then we found the password.
- Enter the password on the
password formand submit.
- Sanitise the user input before executing on the web application.
Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/ However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote a script to demonstrate her ability.
- I tried to input
Alberton theEnter your namebutton. It returns me with this.
PHP knowledge is required for this task. The password is still in the directory so we have to list the content in the directory. So the comment for to solve this task: <!--#exec cmd="ls ../" -->.
It shows me this.
- We placed that link on the web browser search page (Just put it at the bank of the link). Then we found the password.
- Copy and paste the password. Submit the form.
- Validated the user input.
- Web application firewall can be used.
- Update the web servers and applications. Configure it so we can avoid Server-side Injection (SSI).
- Be familiar with PHP when it comes to SSI.
Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/. In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how... This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it.
- This is pretty much the same with level 8 due to the same error before. Go to level 8 exercise and this time, type this command
<!--#exec cmd="ls ../../9/" -->onEnter your namebutton.
- We placed that link on the web browser search page (Just put it at the bank of the link). Then we found the password.
- Copy and paste the password. Submit the form.
- Validated the user input.
- Web application firewall can be used.
- Update the web servers and applications. Configure it so we can avoid Server-side Injection (SSI).
- Be familiar with PHP when it comes to SSI.
This time Sam used a more temporary and "hidden" approach to authenticating users, but he didn't think about whether or not those users knew their way around javascript...
- This is incorrect implementation of cookies. Anyone can hijack the session but changing the autorization mode. Click
Developer tooland navigate toconsole. Run this commanddocument.cookie. - When it is done, enter and run this command
document.cookie="level10_authorized=yes";. - Alternatively, on the
Developer tool, please navigate to Application. On thevaluecolumn oflevel10_authorized, change the value fromnotoyes.
- Enter the
passwordbutton without typing the password.
- Do not use yes/no cookies for authentication as it will store a session ID that is associated with the authentication of the user on the server side. This will allow the server to grant access to user without the password.
There is no page written for scenario 11 which makes it interesting to solve. This includes apache and what is happening is someone enabled the directory listing by default.
- I tried to visit https://www.hackthissite.org/missions/basic/11/. Yet, what is shown is Elton's song. If I refresh the page, it will keep generating random Elton's music.
- I tried to visit several links such as https://www.hackthissite.org/missions/basic/11/a/, https://www.hackthissite.org/missions/basic/11/b, https://www.hackthissite.org/missions/basic/11/c/ and so on. It did not work out. Until I visited this: https://www.hackthissite.org/missions/basic/11/e/. Then I kept clicking whatever directories that are available.
- I included .htaccess at the link to see if something came up.
- I included DaAnswer/ at the link as well as shown in the image above.
- It says that the answer is
around. There's one more link I should have visited earlier which is https://www.hackthissite.org/missions/basic/11/index.php.
- I entered the password and it is done.
- Learn Apache.
- Configure Apache web server to make sure not everyone can read the configuration of web server. The directory
DaAnswershould not be made public otherwise it could be exploited. - Correct the file permission, implement authentication and access control.
Part 2 requires ASCII knowledge, command injection, Apache (Server Side Injection), cookies (JavaScript), and Apache web server.