Thursday, August 15, 2013

hackthissite.org Basic Challenge 11 | Shivang Desai

Hi friends,

Here's the last challenge under "Basic" section of  HTS.

The challenge says "Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics."

I would like to share something here.

You must have heard that "Experience never goes waste". In college, I was trying to develop my website independently. I was not much aware about website development. Finally I chose to go with php and then came across Apache setup.
I was totally new to Apache and in those days I came across a lot about ".htaccess" file. I thought that here in this challenge also it would be playing an important role and ideally it came to be true.

Ok so let's get back to our challenge.

When you enter the challenge "Basic 11", you get a song name.
As I was not aware about how to solve this challenge, I had to visit this particular page of "Basic 11" time and again. I noticed that song name were changing everytime I visited.

After googling the names, I found one thing common in all and that was the name "Elton John"

Keep this name in mind "ELTON" as this is going to be needed further.

Another thing I noticed, in every challenges' url, there was some kind of ".php" file attached to it and it was mostly "index.php"

So I gave a try to append "index.php" with url of this challenge too. The url looked like this:
"https://www.hackthissite.org/missions/basic/11/index.php" and yeah...I got the password box to be filled with password.

Now, as it was told that Sam was new to Apache and one common mistake newbies' make is the denial of directory traversal.

I started with some random things and tried these :
https://www.hackthissite.org/missions/basic/11/password
https://www.hackthissite.org/missions/basic/11/pwd
https://www.hackthissite.org/missions/basic/11/help
https://www.hackthissite.org/missions/basic/11/abc
https://www.hackthissite.org/missions/basic/11/hack
https://www.hackthissite.org/missions/basic/11/elton
https://www.hackthissite.org/missions/basic/11/john
https://www.hackthissite.org/missions/basic/11/a
https://www.hackthissite.org/missions/basic/11/b
.
.
.
etc etc etc

Finally at "https://www.hackthissite.org/missions/basic/11/e" , I got into the directory and found another directory named "l" , inside it was "t" and so on. Basically the hidden secret was inside this url : "https://www.hackthissite.org/missions/basic/11/e/l/t/o/n"

After this /j/o/h/n was not there.
So inside this (https://www.hackthissite.org/missions/basic/11/e/l/t/o/n/) I tried to find ".htaccess" and cool...I found it. (https://www.hackthissite.org/missions/basic/11/e/l/t/o/n/.htaccess)


The usage of .htaccess can be found here.

After accessing .htaccess file, I found another file named "DaAnswer" and inside it was the password.

When I accessed "DaAnswer", it said  "The password is somewhere close! Just look a little harder"

I was like...."What The F***".
I just can't explain what all things I tried with DaAnswer.

I also tried every possible passwords ( on "https://www.hackthissite.org/missions/basic/11/index.php") related to hackthissite and this challenge.

But if I would have used simple logic, the password was there in front of me. The "DaAnswer" file said "The password is somewhere close" . I tried "somewhere close" as password and tadaaaaaa I was ready to "go on".

This is how smartly (idiotically too :-D ) I solved hackthissite basic challenges.
I know I made mistakes at many places but "learning through mistakes is the best way to learn"

HOPE YOU ENJOYED THE COMPLETE SERIES OF "BASIC" CHALLENGES and I would specially like to thank my friend cum Mentor, Aditya Gupta. Thanks bro..

Thank you..

hackthissite.org Basic Challenge 10 | Shivang Desai

Hello,

Hackthissite basic challenge 10 says that :
"This time Sam used a more temporary and 'hidden' approach to authenticating users, but he didn't think about whether or not those users knew their way around javascript..."

If you look properly, then it would be clear that knowledge of "basic challenge 4 & 5" will be applicable here once again.

The challenge says about "The hidden approach" to authenticate the user. The best way to do this is via "cookies".

Before starting, I just entered random password and submitted it. But the page appeared said that "You are not authorized to...."

So getting back, it was the time to check the cookies.
I used add-on named "Tamper Data" and "Live HTTP Hearders" in firefox. It's not mandatory to use this, I mentioned it as I am comfortable with it. You can also give "Firebug" a shot.

Through "live HTTP Header" , I got the thing shown in image below:



Here we see that we are not authorized as cookie has value "no" for us.
To change this value, you can either use javascript and change it. But I preferred to use addon named "Tamper Data".
Next image shows the view of Tamper Data.(click on image to enlarge it)


After changing the value to "yes", I submitted this request and got through.

BASIC CHALLENGE 10 solved...! Enjoy.





Monday, August 12, 2013

hackthissite.org Basic Challenge 9 | Shivang Desai

Hello dear ones,

So what was the cool thing you did today..?? 
If it's morning and you are reading this post, then what is the cool thing you wish to do today ?? 

Ok fine, you want to know about me first?? 
hmmmm, yeah..! I got hands on a framework named "recon-ng". It's a reconnaissance tool and believe me, it's awesome. It's very much similar to metasploit in look and feel. I will write on it soon on my primary blog.


Let's get back with HTS challenge 9. Now this is a challenge I enjoyed a lot till now. It's tricky and awesome.

It says: 

"The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure. "

First thing I tried was using the same script that I used in previous challenge ie <!--#exec cmd="ls .."-->
but it din't worked as this command has "<!--" and some kind of validation was applied.

For solving this challenge, two things helped me to get a spark in my mind.
1. HTS has said to have knowledge of directory structure
2. the file was stored in "/missions/basic/9/"

Reaching at this file was a big deal as the textbox provided in the challenge was validating our input.

So I tried to get there indirectly.
By modifying the previous challenge's command of SSI, I achieved it.

Look at the pic below and everything will be crystal clear.
It's a directory structure hackthissite.com basic challenges.



Now, through challenge 8 we reached inside tmp folder. It's time to reach to "our target".

IMPORTANT NOTE:- this is all done through challenge-8's interface.

I went in challenge 8's interface and typed following command in first textbox:
<!--#exec cmd="ls ../../9/"-->

This is doing nothing more than traversing back 2 directories and then getting inside directory named "9".
Here we will get our password file. 

[Challenge-8 interface's work is over.]

Now copy&paste our password file's name under this url :
"http://www.hackthissite.org/html/missions/basic/9/YOUR_PASSWORD_FILE"

Challenge 9 solved...Now two more to go...

Bye... I hope this was well understood... :-)

hackthissite.org Basic Challenge 8 | Shivang Desai


Hi pals,

Here I present challenge 8 of HTS.
It says "The password is yet again hidden in an unknown file. Sam's daughter has begun learning PHP,......."

HTS has clearly mentioned that knowledge of SSI(Server-Side Includes) is needed.

Frankly speaking, I was not knowing about it.
When I searched for it I got to know that its a server-side scripting language and is basically used to include contents of one or more files into the webpage on webserver. Wow, interesting.

links to SSI -
http://en.wikipedia.org/wiki/Server_Side_Includes and
http://www.javascriptkit.com/howto/ssi.shtml

Now let's get back to HTS challenge interface.
According to the idea of previous challenge, I tried this--> In first textbox, I typed "5h1vang; ls" but the same thing was displayed what I typed.

Then the idea of SSI was clear and got idea that I will have to execute the "ls" command on server using SSI.
So I tried like mentioned below:
<!--#exec cmd="ls .."-->

Tadaaaa.. I got the same scenario as previous challenge and strange named file was infornt of me.

Just copied the file and appended it in url and I got the password.

Thanks---

hackthissite.org Basic Challenge 7 | Shivang Desai

Hello friends,

Here's the Challenge 7 of HTS(HackThisSite).

"The password id hidden in an unknown file, and Sam has set up a script to display a calender. Requirements: Basic UNIX command knowledge"

When I entered a year in first textbox of this challenge, then some command(UNIX command) got executed through "cal.pl" and it displayed calender of that year.

Now, in "Requirements", they have written that knowledge of UNIX command is required.

First thing that came in my mind was a short list of UNIX command which included following.
-cat
-echo
-ls
-cd
and some others. But none was useful except "ls".

The description of challenge 7 says that Sam has kept that file in same directory where "cal.pl" was present.

According to the scenario, only one command fits and that is "ls" as we want to see other files present in this very directory.

Finally the idea was clear.

I just typed in "2013; ls" in first textbox and clicked "Submit". (";[semicolon]" after 2013 was used to tell the server that one command is over and another command has started, which in our case is "ls")

There was the solution and I got list of all files present in that directory.

Note:- files will also be displayed even if you type this "; ls" (without quotes)

Here you will find a .php file with strange name.
Just copy & paste this file and your url will look like this :
"https://www.hackthissite.org/missions/basic/7/k1kh31b1n55h.php"

I got the .php file named "k1kh31b1n55h.php".
Just hit enter and voila....there was your password.

I hope the explanation was proper.

Thanks.....:-)


Thursday, July 25, 2013

hackthissite.org Basic Challenge 6 | Shivang Desai

Hello guys,

I know its been a while I last posted.
Here's the 6th challenge of HTS.

"Network Security Sam has encrypted his password. The encryption system is publically available and can be accessed with this form:"

We are provided with the encryption method but not directly. We can find out how the encryption algorithm works by entering any normal text and it will give us the encrypted text.

I tried with with "abcdefghijklmnopqrstuvwxyz"  but unfortunately I don't know why, it din't turned out to be anything. I immediately came to know that it does not accept very long passwords.

However, I wanted to test the encryption algorithm, so I kept my try going on and found that it accepted "abcdefghijkl".

Finally I entered "abcdefgh" and I got encrypted text as "acegikmo"

The below pic will explain the scenario more clearly.


I hope this would be readable.
So here in middle was the logic.
Every letter was incremented from zero to 1 to 2 and so on.

Now I just took the password provided by hackthissite and applied reverse logic to the encrypted password.

Due to the presence of symbols in the password, I took help of ASCII table and applied the logic.

Next pic shows the logic and how I got the password.



Thank you.

I will post next solutions soon. :-) 

Tuesday, June 25, 2013

hackthissite.org Basic Challenge 5 | Shivang Desai

Hi guys,

Here's the basic challenge 6 of hackthissite.org

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

This time I tried the same as challenge 4 solution but it gave me an error of “invalid referrer”
There was no hint but soon I noticed one at main page of basic challenges.

It said “Requirements: HTML knowledge, JS or FF, an email address.”
The “page source” thing did not worked directly for me.
We had to somehow change the form value and set it to our desired value.
So from three things :- HTML knowledge, JS and email address two things were already cleared.

We already have an email address and we know that basic HTML was not going to work. The single thing remaining was JS (javascript). 
After some research on internet I found how we will have to insert the “value”.

javascript:alert(document.forms[0].to.value="your email address")

According to the DOM principles, if there are more than one forms on a document then they are recognized by forms[0], forms[1],forms[2] etc.

Now we needed to change to “value” of first form as that’s what we needed.
I just copy pasted that javascript statement and a pop-up of the email address entered will be seen.
As soon as you click “ok” on the pop-up, you will be redirected to same page ie
“https://www.hackthissite.org/missions/basic/5/”

That’s it. We have set the value and now you just need to click the button “Send Password to Sam” again.


You will get the page displaying password.

Copy and paste this password in the textbox and click "submit"...