HTS Basic Writeup

October 9, 2024, 7:38 am

Basic 1

Challenge Text

Basic test of your skills to see if you can do any of these missions. Requirements: HTML

Level 1 (the idiot test)

This level is what we call "The Idiot Test." If you can't complete it, don't give up on learning all you can, but don't go begging someone else for the answer; that's one way to get you hated or made fun of. Enter the password and you can continue.

Writeup

The first challenge is really simple. We know from the room text that finding the password involves basic knowledge of HTML, and if we look at the source code or use the developer tools to inspect the HTML around the password submit button, we'll see the following code:

<center>

    <b>Level 1(the idiot test)</b>

</center>

<br /><br /> This level is what we call "The Idiot Test." If you can't complete it, don't give up on learning all you can, but don't go begging someone else for the answer; that's one way to get you hated or made fun of. Enter the password and you can continue.

<br /><br />

<!-- the first few levels are extremely easy: password is 79b56553 -->

<center>

    <b>password:</b><br />

    <form action="/missions/basic/1/index.php" method="post"><input type="password" name="password" /><br /><br /><input type="submit" value="submit" /></form>

</center>

In that section of HTML, we'll find our password in an HTML comment.

<!-- the first few levels are extremely easy: password is 79b56553 -->

Basic 2

Challenge Text

This challenge is slightly more difficult and involves an incomplete password script. Requirements: common sense.

Level 2

Network Security Sam created a password protection script that loads the actual password from an unencrypted text file and checks it against the user's input. However, he forgot to upload the password file...

Writeup

The challenge states that the password protection script compares a loaded password from a text file to the user-entered password, but the password file was never uploaded. Therefore, the program is comparing an empty value to the entered password. To solve this challenge, we can simply leave the password field blank and click the submit button, as this compares nothing to nothing, resulting in a true evaluation.

Basic 3

Challenge Text

Some intuition is required to locate the hidden password file. Requirements: basic HTML knowledge.

This time, Network Security Sam successfully uploaded the password file, but there were more serious issues.

Writeup

By examining the HTML source code, particularly the form section, we can see that upon submission, this form sends a POST request to /missions/basic/3/index.php, including our entered password and a file named password.php.

<form action="/missions/basic/3/index.php" method="post">

    <input type="hidden" name="file" value="password.php" />

    <input type="password" name="password" />

    <br />

    <br />

    <input type="submit" value="submit" />

</form>

This file is used to verify our password.

If we access the password.php file at https://www.hackthissite.org/missions/basic/3/password.php, we will find the password needed to complete this level.

9ec995dd

Basic 4

Challenge Text

An email script has been created to send the password to the administrator. Requirements: knowledge of HTML and an email address.

In this case, Sam hardcoded the password into the script. However, since the password is long and complicated, and Sam tends to forget things, he wrote a script that automatically emails him the password if he forgets it. Here’s the script:

Writeup

By looking at the HTML source code for the form in this level, we can find a hidden input containing the email address of the site administrator.

<form action="/missions/basic/4/level4.php" method="post">

    <input type="hidden" name="to" value="sam@hackthissite.org">

    <input type="submit" value="Send password to Sam">

</form>

When this form is submitted, the script will send the site admin's password to the email address specified in the value attribute.

The issue here is that we can easily modify the HTML using our developer console, which exposes this level to a vulnerability known as Form Field Tampering.

By opening your browser’s developer console and double-clicking on value="sam@hackthissite.org," we can change the email address to our own.

After submitting the form with our email address instead of the admin's, we’ll be redirected to a page displaying the following message:

Password reminder successfully sent to <Your Email Address>

(Note: If this email address does not match the one on your HackThisSite profile, no email will actually be sent.)

If done correctly, you should receive an email addressed to "Sam" in your inbox containing the password required to complete this level.

Sam,

Here is the password: '96ebb133'.

Basic 5

Challenge Text

This challenge is similar to the previous one but includes additional security measures. Requirements: knowledge of HTML, JavaScript or Firefox, and an email address.

Sam has become aware of people creating their own forms to obtain the password. Instead of learning the password himself, he opted to enhance the security of his email program.

Writeup

If we examine the HTML source code for the form in this level, we will find a hidden input that contains the email address of the site administrator.

<form action="/missions/basic/5/level5.php" method="post">

    <input type="hidden" name="to" value="sam@hackthissite.org">

    <input type="submit" value="Send password to Sam">

</form>

When this form is submitted, the script will send the site admin's password to the email address specified in the value attribute.

The issue arises from our ability to easily modify the HTML using the developer console, which exposes this level to a vulnerability called Form Field Tampering.

By opening the developer console in our browser and double-clicking on value="sam@hackthissite.org," we can change the email address to our own.

After submitting the form with our email address instead of the admin's, we will be redirected to a page that displays the following message:

Password reminder successfully sent to <Your Email Address>

(Note: If this email address is not linked to your HackThisSite profile, no email will be sent.)

If done correctly, you should receive an email addressed to "Sam" in your inbox containing the password necessary to complete this level.

Sam,

Here is the password: '3bcb223b'.

Basic 6

Challenge Text

An encryption system has been established that employs an unknown algorithm to transform the provided text. Requirements: persistence and some general knowledge of cryptography.

Network Security Sam has encrypted his password. The encryption system is publicly accessible through this form:

Writeup

In this challenge, we are given the password, but it has been encrypted with "an unknown algorithm." We also have access to the encryption system, where we can input our own data and observe how it processes it. A good starting point is to enter some initial test inputs to identify patterns in the results.

When we attempt to input the entire alphabet, the encryption fails because the input exceeds the allowable length. Thus, there is a limit on the number of characters we can encrypt.

After reducing the alphabet to the first 14 characters, we can successfully encrypt it: abcdefghijklmn.

The output for these 14 characters is acegikmoqsuwy{, which reveals a pattern. The first letter remains unchanged, while each subsequent letter is replaced by a letter that is further along in the alphabet.

Next, we can test a repeating letter sequence to analyze how it gets encrypted. By entering 14 letter 'a's, we observe the first 14 letters of the alphabet as the result:

aaaaaaaaaaaaaa → abcdefghijklmn

This indicates that the cipher employs a progressive shift. Each letter is rotated according to its position in the string, starting from zero.

With this knowledge, we are almost ready to decrypt the given password. The only piece of information we still need is how the encryption process "adds" or rotates symbols and numbers. As we noted, when the input was abcdefghijklmn, the output was acegikmoqsuwy{. The symbol at the end indicates that letters exceeding the alphabet do not wrap around but start including symbols.

For instance, instead of encrypting "zz" to "za," it encrypts as "z{." This occurs because the cipher wraps around all ASCII printable characters, not just the alphabet.

We can confirm this using an ASCII chart: moving up one position from the lowercase letter 'z' leads us to '{'.

To further illustrate, if we input four lowercase 'a's into the encryption algorithm, we receive abcd, as 'a' plus 0 is 'a,' 'a' plus 1 is 'b,' and so forth.

Conversely, if we input four lowercase 'z's, the output will be z{|} since 'z' plus 0 is 'z,' 'z' plus 1 is '{,' 'z' plus 2 is '|,' and 'z' plus 3 is '}'.

Now that we understand the entire encryption process, we can begin decryption, which simply reverses the steps we followed. Instead of "adding" or rotating forward, we will "subtract" (rotate backward) through the ASCII chart.

Encrypted Password: 29;i46?k

Finally, we have successfully decrypted the password: 289f019d.

Basic 7

Challenge Text:

The password is concealed within a file with an ambiguous name, and Sam has created a script to show a calendar. Prerequisites: Basic knowledge of UNIX commands.

In this level, Network Security Sam has stored the unencrypted password for level 7 in a file with a vague name located in this directory.

In other news, Sam has also set up a script that executes the UNIX

command. Below is the script:

Writeup:

For this challenge, we learn that Sam has placed the unencrypted password file in the same directory where his public calendar program runs. This program accepts a year as input and relays it to the UNIX

command. We can start by testing the program with an arbitrary year like 2012, which would translate to

. The output will be as follows:

       January 2012

Mon Tue Wed Thu Fri Sat Sun

  2   3   4   5   6   7   8

  9  10  11  12  13  14  15

 16  17  18  19  20  21  22

 23  24  25  26  27  28  29

 30  31

...

The issue with this program arises when the input is not properly sanitized, making the system vulnerable to OS injection attacks. We can confirm this vulnerability by appending another command to the year we input.

To execute this, we can separate the first command from our custom command using the

symbol.

Example - command-1; command-2; command-3;

To display the current directory's contents, we would input:

2012; ls

This command will display the calendar for 2012, followed by the files in the current directory:

...

index.php

level7.php

cal.pl

..

k1kh31b1n55h.php

In the output, we will see the mentioned obscurely named file,

. We can then read its contents by visiting its URL at https://www.hackthissite.org/missions/basic/7/k1kh31b1n55h.php, where we will find the password:

7bf92f21

Basic 8

Challenge Overview

The password is concealed in an unknown file once again. Sam's daughter has started learning PHP and created a small script to showcase her skills. Prerequisites: Understanding of SSI (dynamic HTML executed by the server instead of the browser).

Sam believes that hiding the password in an obscure file is still the best strategy, despite his earlier mistake with the calendar program. He has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/.

Meanwhile, Sam's young daughter, Stephanie, has just begun programming in PHP. She is quite skilled for her age but lacks knowledge of security practices. Recently, she learned about file saving and wrote a script to demonstrate her programming abilities.

Writeup

The challenge text indicates that this level requires knowledge of SSI (Server Side Includes). If we research Server Side Include vulnerabilities online, we will find numerous articles discussing an attack called Server Side Includes Injection. An OWASP article on SSI Injections explains that SSIs are directives that the server uses to generate dynamic HTML.

If data provided by the web application isn't adequately validated, the application could be susceptible to injection, allowing users to execute their own SSI directives.

To check if a site is vulnerable to SSI injection, we can insert special characters commonly used in SSI directives to see how the application responds. These characters include:

<, !, #, =, /, ., ", -, >, and [a-zA-Z0-9].

Another approach to identify potential SSI Injection vulnerabilities is to look for pages with the following extensions:

.stm, .shtm, .shtml.

We can confirm both methods by providing a single < as input. The program will accept the symbol and inaccurately report its length as 4 characters. Additionally, we can observe that the file extension is .shtml.

SSI Vulnerability

With confirmation of the program's vulnerability, we can refer back to the OWASP article on SSI Injections for syntax examples for this attack.

SSI Injection Syntax Examples

We can begin by listing the contents of the current directory using the command:

The output from this command would be:

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml avpfeoie.shtml fviqpmaw.shtml kqbybdzc.shtml dzrnmzgx.shtml npcsygfl.shtml whqxxojt.shtml ylomcmvu.shtml uhdppswp.shtml gzntiicx.shtml dzwbqiuu.shtml qvzuieng.shtml smcerykh.shtml qjhnmhmq.shtml znodwztr.shtml! Your name contains 254 characters.

While the exploit works, we need to remember that the password file is located at /var/www/hackthissite.org/html/missions/basic/8/, but we are currently listing the contents of https://www.hackthissite.org/missions/basic/8/tmp/mumewoit.shtml. Therefore, we must modify the command to list the contents of the parent directory.

Revised Command

The output from this command will display the contents of https://www.hackthissite.org/missions/basic/8/, where we will find the obscurely named password file:

Hi, au12ha39vc.php index.php level8.php tmp! Your name contains 39 characters.

Now, we can access the password by visiting the file at https://www.hackthissite.org/missions/basic/8/au12ha39vc.php, where we will see the following:

e06a9c6f

Basic 9

Challenge Overview

The password is once again hidden in an unknown file. However, the script previously used to locate it has certain limitations. Prerequisites: Understanding of SSI and Unix directory structures.

Network Security Sam is determined to continue obscuring the password file, regardless of how often it gets uncovered. This time, the file is located in /var/www/hackthissite.org/html/missions/basic/9/.

In the previous level, I mistakenly created a flaw in my effort to restrict users to using server-side includes for displaying the directory listing of Level 8 only. There remains a method to access the obscured Level 9 password. See if you can figure it out...

This level may appear more challenging than it is, and understanding how the script validates user input will be beneficial. The script looks for the first occurrence of

and checks what follows it.

Writeup

For this challenge, it seems Security Sam may have overlooked a secondary vulnerability in his Level 8 program, which reveals the name of the Level 9 password file. Notably, there is no input for this level, so we can assume we need to return to Level 8 to obtain the password file name for our current level.

Level 8 was vulnerable to SSI Injections, but we were restricted to using only the

command to display the contents of the current directory via the command:

However, this command listed the contents of https://www.hackthissite.org/missions/basic/8/tmp/, while the password file was stored at https://www.hackthissite.org/missions/basic/8/. To navigate to the parent directory, we modified the command to:

We can use similar commands to list the contents of the Level 9 directory where the password file is stored. We can either move up one more directory and access the Level 9 directory with this command:

Alternatively, we can list the absolute path to the directory using the following command:

Both methods will yield the following output:

Hi, index.php p91e283zc3.php! Your name contains 24 characters.

Here, we can see the obscured password file named p91e283zc3.php. By navigating to its location at https://www.hackthissite.org/missions/basic/9/p91e283zc3.php, we will discover the following password:

cb2471e5

Basic 10

Challenge Overview

This time, Sam opted for a more temporary and "hidden" method for user authentication, but he overlooked whether the users were familiar with JavaScript.

Writeup

In this challenge, we learn that Sam has implemented a new user authentication method. Since it's not a password, other options come to mind, such as using cookies. However, utilizing cookies for authentication can expose websites to Cookie Poisoning vulnerabilities.

One way to modify your cookies is by accessing the developer tools in your browser. In Firefox, you can find cookies under the Storage tab in the developer console.

Once you're in the cookies section of your developer tools, you will notice a cookie named

with a value of "no."

Level 10 Cookie

By hovering over the "no" value and double-clicking it, you can edit the value.

After changing it to "yes," you can enter any password into the password field for this level, granting you access to the next page.

Back to Blog