Wednesday, June 19, 2013

hackthissite.org Basic Challenge 2 | Shivang Desai

Hi guys,

Here's the second challenge of hackthissite.org- Basic Missions.

The challenge says "Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file..."

The scenario Sam wanted to create was as shown below.

But note one important thing. The last line in challenge description says  "However, he neglected to upload the password file..."

I thought that if the file was not uploaded then where the password was getting checked from?
There should be something from where user password could be compared. But here the unencrypted file was not present at all.

The logic was simple. There was nothing from where the comparison could take place which meant that anything you enter, you will get an error message.

I thought that instead of "anything" why not try "nothing" which means a blank password.
And TADAAAA......it worked.
I exactly don't know the logic but as there was nothing for comparision, by default blank password was accepted.


---------------------------------------------------------------------------------------------------------
THINGS I TRIED...!!
Its certain that we don't get things at first instance and in the field of hacking, if you got things easily then you are definitely playing a game and not hacking.

First I tried to look at "page source" as challenge 1 was totally related to it.

Secondly, I tried with simple authentication bypass and entered 0'or'0'='0. BUT this din't worked and it was certain that it won't work as there was no SQL involved here.

I tried with some basic passwords that could be possible. Like "Sam", "password", "HTS", etc etc....

-----------------------------------------------------------------------------------------------------------


No comments:

Post a Comment