Thursday, August 15, 2013 Basic Challenge 11 | Shivang Desai

Hi friends,

Here's the last challenge under "Basic" section of  HTS.

The challenge says "Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics."

I would like to share something here.

You must have heard that "Experience never goes waste". In college, I was trying to develop my website independently. I was not much aware about website development. Finally I chose to go with php and then came across Apache setup.
I was totally new to Apache and in those days I came across a lot about ".htaccess" file. I thought that here in this challenge also it would be playing an important role and ideally it came to be true.

Ok so let's get back to our challenge.

When you enter the challenge "Basic 11", you get a song name.
As I was not aware about how to solve this challenge, I had to visit this particular page of "Basic 11" time and again. I noticed that song name were changing everytime I visited.

After googling the names, I found one thing common in all and that was the name "Elton John"

Keep this name in mind "ELTON" as this is going to be needed further.

Another thing I noticed, in every challenges' url, there was some kind of ".php" file attached to it and it was mostly "index.php"

So I gave a try to append "index.php" with url of this challenge too. The url looked like this:
"" and yeah...I got the password box to be filled with password.

Now, as it was told that Sam was new to Apache and one common mistake newbies' make is the denial of directory traversal.

I started with some random things and tried these :
etc etc etc

Finally at "" , I got into the directory and found another directory named "l" , inside it was "t" and so on. Basically the hidden secret was inside this url : ""

After this /j/o/h/n was not there.
So inside this ( I tried to find ".htaccess" and cool...I found it. (

The usage of .htaccess can be found here.

After accessing .htaccess file, I found another file named "DaAnswer" and inside it was the password.

When I accessed "DaAnswer", it said  "The password is somewhere close! Just look a little harder"

I was like...."What The F***".
I just can't explain what all things I tried with DaAnswer.

I also tried every possible passwords ( on "") related to hackthissite and this challenge.

But if I would have used simple logic, the password was there in front of me. The "DaAnswer" file said "The password is somewhere close" . I tried "somewhere close" as password and tadaaaaaa I was ready to "go on".

This is how smartly (idiotically too :-D ) I solved hackthissite basic challenges.
I know I made mistakes at many places but "learning through mistakes is the best way to learn"

HOPE YOU ENJOYED THE COMPLETE SERIES OF "BASIC" CHALLENGES and I would specially like to thank my friend cum Mentor, Aditya Gupta. Thanks bro..

Thank you.. Basic Challenge 10 | Shivang Desai


Hackthissite basic challenge 10 says that :
"This time Sam used a more temporary and 'hidden' approach to authenticating users, but he didn't think about whether or not those users knew their way around javascript..."

If you look properly, then it would be clear that knowledge of "basic challenge 4 & 5" will be applicable here once again.

The challenge says about "The hidden approach" to authenticate the user. The best way to do this is via "cookies".

Before starting, I just entered random password and submitted it. But the page appeared said that "You are not authorized to...."

So getting back, it was the time to check the cookies.
I used add-on named "Tamper Data" and "Live HTTP Hearders" in firefox. It's not mandatory to use this, I mentioned it as I am comfortable with it. You can also give "Firebug" a shot.

Through "live HTTP Header" , I got the thing shown in image below:

Here we see that we are not authorized as cookie has value "no" for us.
To change this value, you can either use javascript and change it. But I preferred to use addon named "Tamper Data".
Next image shows the view of Tamper Data.(click on image to enlarge it)

After changing the value to "yes", I submitted this request and got through.

BASIC CHALLENGE 10 solved...! Enjoy.

Monday, August 12, 2013 Basic Challenge 9 | Shivang Desai

Hello dear ones,

So what was the cool thing you did today..?? 
If it's morning and you are reading this post, then what is the cool thing you wish to do today ?? 

Ok fine, you want to know about me first?? 
hmmmm, yeah..! I got hands on a framework named "recon-ng". It's a reconnaissance tool and believe me, it's awesome. It's very much similar to metasploit in look and feel. I will write on it soon on my primary blog.

Let's get back with HTS challenge 9. Now this is a challenge I enjoyed a lot till now. It's tricky and awesome.

It says: 

"The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure. "

First thing I tried was using the same script that I used in previous challenge ie <!--#exec cmd="ls .."-->
but it din't worked as this command has "<!--" and some kind of validation was applied.

For solving this challenge, two things helped me to get a spark in my mind.
1. HTS has said to have knowledge of directory structure
2. the file was stored in "/missions/basic/9/"

Reaching at this file was a big deal as the textbox provided in the challenge was validating our input.

So I tried to get there indirectly.
By modifying the previous challenge's command of SSI, I achieved it.

Look at the pic below and everything will be crystal clear.
It's a directory structure basic challenges.

Now, through challenge 8 we reached inside tmp folder. It's time to reach to "our target".

IMPORTANT NOTE:- this is all done through challenge-8's interface.

I went in challenge 8's interface and typed following command in first textbox:
<!--#exec cmd="ls ../../9/"-->

This is doing nothing more than traversing back 2 directories and then getting inside directory named "9".
Here we will get our password file. 

[Challenge-8 interface's work is over.]

Now copy&paste our password file's name under this url :

Challenge 9 solved...Now two more to go...

Bye... I hope this was well understood... :-) Basic Challenge 8 | Shivang Desai

Hi pals,

Here I present challenge 8 of HTS.
It says "The password is yet again hidden in an unknown file. Sam's daughter has begun learning PHP,......."

HTS has clearly mentioned that knowledge of SSI(Server-Side Includes) is needed.

Frankly speaking, I was not knowing about it.
When I searched for it I got to know that its a server-side scripting language and is basically used to include contents of one or more files into the webpage on webserver. Wow, interesting.

links to SSI - and

Now let's get back to HTS challenge interface.
According to the idea of previous challenge, I tried this--> In first textbox, I typed "5h1vang; ls" but the same thing was displayed what I typed.

Then the idea of SSI was clear and got idea that I will have to execute the "ls" command on server using SSI.
So I tried like mentioned below:
<!--#exec cmd="ls .."-->

Tadaaaa.. I got the same scenario as previous challenge and strange named file was infornt of me.

Just copied the file and appended it in url and I got the password.

Thanks--- Basic Challenge 7 | Shivang Desai

Hello friends,

Here's the Challenge 7 of HTS(HackThisSite).

"The password id hidden in an unknown file, and Sam has set up a script to display a calender. Requirements: Basic UNIX command knowledge"

When I entered a year in first textbox of this challenge, then some command(UNIX command) got executed through "" and it displayed calender of that year.

Now, in "Requirements", they have written that knowledge of UNIX command is required.

First thing that came in my mind was a short list of UNIX command which included following.
and some others. But none was useful except "ls".

The description of challenge 7 says that Sam has kept that file in same directory where "" was present.

According to the scenario, only one command fits and that is "ls" as we want to see other files present in this very directory.

Finally the idea was clear.

I just typed in "2013; ls" in first textbox and clicked "Submit". (";[semicolon]" after 2013 was used to tell the server that one command is over and another command has started, which in our case is "ls")

There was the solution and I got list of all files present in that directory.

Note:- files will also be displayed even if you type this "; ls" (without quotes)

Here you will find a .php file with strange name.
Just copy & paste this file and your url will look like this :

I got the .php file named "k1kh31b1n55h.php".
Just hit enter and voila....there was your password.

I hope the explanation was proper.


Thursday, July 25, 2013 Basic Challenge 6 | Shivang Desai

Hello guys,

I know its been a while I last posted.
Here's the 6th challenge of HTS.

"Network Security Sam has encrypted his password. The encryption system is publically available and can be accessed with this form:"

We are provided with the encryption method but not directly. We can find out how the encryption algorithm works by entering any normal text and it will give us the encrypted text.

I tried with with "abcdefghijklmnopqrstuvwxyz"  but unfortunately I don't know why, it din't turned out to be anything. I immediately came to know that it does not accept very long passwords.

However, I wanted to test the encryption algorithm, so I kept my try going on and found that it accepted "abcdefghijkl".

Finally I entered "abcdefgh" and I got encrypted text as "acegikmo"

The below pic will explain the scenario more clearly.

I hope this would be readable.
So here in middle was the logic.
Every letter was incremented from zero to 1 to 2 and so on.

Now I just took the password provided by hackthissite and applied reverse logic to the encrypted password.

Due to the presence of symbols in the password, I took help of ASCII table and applied the logic.

Next pic shows the logic and how I got the password.

Thank you.

I will post next solutions soon. :-) 

Tuesday, June 25, 2013 Basic Challenge 5 | Shivang Desai

Hi guys,

Here's the basic challenge 6 of

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

This time I tried the same as challenge 4 solution but it gave me an error of “invalid referrer”
There was no hint but soon I noticed one at main page of basic challenges.

It said “Requirements: HTML knowledge, JS or FF, an email address.”
The “page source” thing did not worked directly for me.
We had to somehow change the form value and set it to our desired value.
So from three things :- HTML knowledge, JS and email address two things were already cleared.

We already have an email address and we know that basic HTML was not going to work. The single thing remaining was JS (javascript). 
After some research on internet I found how we will have to insert the “value”.

javascript:alert(document.forms[0].to.value="your email address")

According to the DOM principles, if there are more than one forms on a document then they are recognized by forms[0], forms[1],forms[2] etc.

Now we needed to change to “value” of first form as that’s what we needed.
I just copy pasted that javascript statement and a pop-up of the email address entered will be seen.
As soon as you click “ok” on the pop-up, you will be redirected to same page ie

That’s it. We have set the value and now you just need to click the button “Send Password to Sam” again.

You will get the page displaying password.

Copy and paste this password in the textbox and click "submit"...

Thursday, June 20, 2013 Basic Challenge 4 | Shivang Desai

Hi guys,

How's life going !!?

Lets have a talk about challenge 4.

"This time Sam hard-coded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script"

I went to the "page source" and looked at functionality exhibited on button named "Send password to Sam".

I found below code -

<form action="/missions/basic/4/level4.php" method="post">

  <input type="hidden" name="to" value="" />
  <input type="submit" value="Send password to Sam" />

I tried with the direct url as was the case with previous challenge (challenge 3)

"" but it din't worked 
and gave error of invalid email.

After searching for that domain "", it was found that there is no such domain.

I thought to supply proper email.

This is what I did.

Saved the page-source of this page (with .html as extension)- 

After saving it, I changed the value from "" to a proper email address. Type your own email address if you want to.

I double clicked this saved file. The same page as of challenge-4 was displayed. 
Now click on the button "Send password to Sam" and you will directly get the

Copy-paste this password in the password textbox and submit.

Enjoy....! Basic Challenge 3 | Shivang Desai

Hi guys,

I am enjoying a lot and here's the third challenge.
In this post I will show what I tried and how I solved.

The challenge says "This time Network Security Sam remembered to upload the password file, but there were deeper problems than that."

I wrote about this password file logic in previous post. (click here to have a look at previous blog)

Now we had a file from where our password (user entered password) was going to be compared.

How I solved it ?

First I looked at the "page source" , there was no direct clue but a hidden field with value as "password.php".
This was the main thing to be noticed.

At the first glance, I was a little bit confused and knew that php is server side so there is nothing to be found in "page source".

So what I did was that I googled "Top vulnerabilities in php". It was a blind shot but believe me, sometimes common sense really works.

I found a vulnerability named "Reveal Source Code". As soon as I read this line, I remembered a thing which I faced while making my own website.
The logic was such that you can't see the php code in "page source" as it is server side. But if you know the name of the php file then you can directly view it with address bar.

So here's the shot -
I knew from hidden value that php file was "password.php" and very time I came across this link ""
so I tried the same with password.php instead of index.php

AND TADAAA....! I got the password


Finally, just copy pasted it and challenge-3 was solved.

Enjoy... I hope this post could be helpful to someone needy. :-)

Wednesday, June 19, 2013 Basic Challenge 2 | Shivang Desai

Hi guys,

Here's the second challenge of Basic Missions.

The challenge says "Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file..."

The scenario Sam wanted to create was as shown below.

But note one important thing. The last line in challenge description says  "However, he neglected to upload the password file..."

I thought that if the file was not uploaded then where the password was getting checked from?
There should be something from where user password could be compared. But here the unencrypted file was not present at all.

The logic was simple. There was nothing from where the comparison could take place which meant that anything you enter, you will get an error message.

I thought that instead of "anything" why not try "nothing" which means a blank password.
And worked.
I exactly don't know the logic but as there was nothing for comparision, by default blank password was accepted.

Its certain that we don't get things at first instance and in the field of hacking, if you got things easily then you are definitely playing a game and not hacking.

First I tried to look at "page source" as challenge 1 was totally related to it.

Secondly, I tried with simple authentication bypass and entered 0'or'0'='0. BUT this din't worked and it was certain that it won't work as there was no SQL involved here.

I tried with some basic passwords that could be possible. Like "Sam", "password", "HTS", etc etc....


Tuesday, June 18, 2013 Basic Challenge 1 | Shivang Desai

Hey guys,

I was going through some well known hacking guides and recently I completed a small certification in security field.

Now after having enough knowledge, I felt like keeping this knowledge into practical zone.
But I personally feel, if you get onto Internet without any proper intentions, you will get lost as a newbie in a totally unknown country.

Recently I found vulnerabilities in some good websites but you can't exactly test your skills there on live websites. If something goes wrong then you can get into serious trouble. If its google or facebook which are always open for bounties, then there is no need to worry. But again its not easy to test "basic" things on hi-techies like google or facebook. You will end up with total loss as they are not that mad to keep vulnerabilities open for us.

I was a little bit confused but got a clear idea from a good friend - Aditya Gupta, a well-known guy in the field of security with expertise in mobile security and many more things. He is always there to help me and I can guarantee a way out.

He suggested me to go to this site "hackthissite" and practice. I heard about it earlier but now its the time to start bringing the knowledge into practical zone.

You will just have to register and get started with challenges. But I suggest to go through this site. It has sections like :

  • "Challenges"
  • "Get Informed"
  • "Get Involved"
  • "Communicate"
  • "About HTS" - definitely have a glance.
After this, you can get started with challenges. 
----------------------------------------------------------------------------------------- - Basic Challenge 1

Today I started with  "Basic Missions" under the "Challenges" section. 
First Test (or challenge) was "Basic 1" also known as "The Idiot Test" and it is actually "idiot test".  :-D

After completing I was feeling really good and feeling an idiot too. Why ??
No ! If you are thinking "How can hackthissite (HTS) design such an idiot test?" then please don't think so.

HTS has designed with an intention behind it. 

I tried my hard to do some idiotic things in such a basic test (idiotic as compared to what was needed here) and so am saying that I was feeling like an idiot.
I tried these things :
  • tried BURP proxy
  • tried brute force [ I can't say what all I tried .. :-D ;-D]
  • completely scanned that page for any hint.
Here's how I solved
HTS says that you need to learn HTML for cracking this challenge. The hint was there infront of me.

You just had to see the page source and tadaaa it was done. 

Just go and look at the "page source" of the page. Find the word "password" . You will see something like this screenshot.

That's it. Enter this password into the challenge field and you are set going for next challenge.

I just loved my first day with HTS challenge. Complete experience is going to be just awesome. 

I will be posting other challenges solutions and problems that I faced during solving the challenge. 
I will surely post any idiotic things too that I did during challenges... lol.. ;-)

Sunday, March 24, 2013

The Incredible Internet - Deep Web

Hello everyone.
This is my new blog but the old one is still active and will always remain active(
On this blog, I will be posting things purely related to hacking and cyber-space.

Let me ask you one thing : Do you feel like you are the person who knows everything about Internet ?
Do you know each and every social networking site on Internet ?

Do you know every music related website whether its MOG, Pandora, GrooveShark, Spotify, Zumocast or ?

Do you know every photo sharing sites like pinterest, Flickr, Instagram, Pixlr or Pixenate ?

There are still various categories on the Internet and if we come to know few things, we celebrate saying that we know so much about the Virtual World - The Internet.

If your answer was "YES" for the above questions then too you I would say that you have only come across "The Surface Web" which is just 4% of Internet. 
Let me introduce to you "The Deep Web" , the 96% of the Internet.

In this world of Cyber-Terrorism and Cyber-Warfare, it is very important to be well known about Internet.

In the days when I didn’t knew much about hacking, I heard from somewhere that there are places on the internet which do exists but not many are aware about it. These places are nothing but web-pages and web-services.

In those days I failed to give a proper proof as I myself was not clearly confident. But recently I read an eye-opener article (author: Pierluigi Paganini)  shared by Robert Rodriguez.

This article proved to me that these dark places do exists in the Cyber-World. I would like to share few things from the article which I felt like every internet geek should certainly know.
The name given to these inaccessible place is the “The Deep Web”.

“Deep Web”, also known as “hidden web”, is a term that evokes the unknown, a mysterious place in the cyber space populated by criminals and hackers that is not accessible to ordinary people.
For those who are still not clear with the term, let me explain you in more detail –
The Deep Web is a collection of information resources located on the World Wide Web not indexed by search engines(The reason behind why they don't appear in search-engine results is properly explained in the article whose reference is at the end of this blog post).

Characteristics of Deep Web.
The principal characteristic and purpose of the Deep Web is the “anonymity”.
At the first instance, looking at the term “anonymity”, you will think that Deep Web is related to Cyber-Criminals. Of course, total anonymity attracts criminal industries that are migrating various activities in the hidden web. In the recent months, the number of underground markets that sell any kind of odd, from drugs to weapons has grown exponentially.

Apart from Cyber-Criminals, the Deep Web and the service hidden in its resources are also largely used by governments, in particular by intelligence agencies and military to exchange documents secretly and by journalists to bypass censorship established by dictatorial regimes to suppress internal dissidents.

After reading this, a question must have arose:
“How are individuals tracked on the web and how is it possible to make a user anonymous online?”
Well, the most popular anonymizing network is Tor, The Onion Router, a system managed by US Naval Research Laboratory from 2004 to 2005 to enable online anonymity.

Using a Tor client software, a user is able to surf in Tor Network, which is the best way to navigate in the deep web using Tails OS distribution which is bootable OS that doesn’t leave a trace of user’s machine.
Tail OS -

Now so you are ready to get into the deep web, make some pre-requisites clear. Once you enter the deep web, it is easy to get lost which is why it is essential to keep in mind the references that can help navigation.
One more thing to keep in mind is that you will not find search engines like Google or Bing.

Typically, users proceed in the navigation jumping from list of navigable URL proposed by more or less known sites, collection of Wikis and BBS-like sites have the main purpose to aggregate links, categorizing them in more suitable groups of consulting.

Another difference that users immediately note is the format of web site URLs.Instead of classic extensions (e.g. .com, .gov) the domains in the Deep Web generally end with the .onion suffix, .onion-URLs are used to identify hidden services. Addresses in the .onion pseudo-TLD are 16-character alpha-semi-numeric hashes which are automatically generated based on a public key when the hidden service is configured. These 16-character hashes can be made up of any letter in the alphabet, and decimal digits beginning with 2 and ending with 7, thus representing an 80-bit number in base32.

This .onion-URL isn’t used only to refer the hidden service, it also offers service authentication. Only one specific hidden service is associated to this identifier and no one can forge or spoof it because an 80 bit number actually is a part of the hash of the public key of the hidden service and the public key is strongly related to its private key.Now that reader has understood what the meaning for this strange sequence of characters representative of onion addressed, let provide few interesting info that could allow him to move first step in the obscurity of the Deep Web.

The Wikies:-
Wikies are most precious resources in the Deep Web, especially for those individuals that have no fixed references for their researches, they are collections of URLs related to various topics arranged in categories to improve the consultation. Most popular, but not the only one is the Hidden Wiki, it is a mine of information and links to allow wide researched in the Deep Web.
The wiki offer an impressive quantity of URLs related to raw contents and discussion pages. The web site appears very friendly to visitors that once located the section of interest, representative of a specific thematic area, could browse to the links listed.
Users could easily find content related to hacking, hacktivism, market places, commercial services and forums and a specific session for services arranged for geographic areas.

TorDir is another collection of onion links arranged in various categories such as Business, Hacking and Related and Social. Also, this site is very easy to consult; users can share links registering and adding new ones, the website also proposes a search engine to help users to find resources in the TorNetwork.

Another precious resource is“TorLinks | .onion Link List”, an interesting collection of links organized in categories for a very simple consultation.

(NOTE: It is strongly recommended to use the TOR clients to access the Deep Web) 

This blog-post was an abstract of the complete article.
I suggest you to read the complete article at

Author of the original article is Pierluigi Paganini [pierluigi.paganini(at)securityaffairs(dot)co]