Mission introduction:

Disable Javascript
faith had made a redirect script and logout with javascript to keep hackers away

In order to disable javascript in Firefox you have to go to Tools->Options… and then Content tab. And uncheck the box next to Enable javascript.

Now you should click on the link Take this challenge, and after that win this challenge.Similar Posts:

• Javascript Missions 1 :: Idiot Test
• Basic web hacking 7 :: double login
• Javascript Missions 5 :: Escape!
• hackthissite.org basic 1 :: password is
• Basic web hacking 9 :: null poison byte

Introduction to mission gives us clue that Billy is used to Visual Basic code and therefore we probably need to search for difference in the code, that in fact is syntax similar to VB.

So Bill Gates was tired of VisualBasic and now did some Perl, too bad; this script has a security flaw that allows everyone access to the company records! Fix the flaw for him!

Source code we have to examine:

#!/usr/bin/perl
 
<a href="http://perldoc.perl.org/functions/chomp.html">chomp</a>(my $User = `/usr/bin/whoami`);
 
<a href="http://perldoc.perl.org/functions/print.html">print</a> "Checking your access level...\n";
 
if ($User == 'BillGates')
{
<a href="http://perldoc.perl.org/functions/print.html">print</a> "Authorized! Here are the company records:\n" . `cat /home/BillGates/CompanyRecords.db`;
<a href="http://perldoc.perl.org/functions/die.html">die</a>("Closing...\n");
}
 
<a href="http://perldoc.perl.org/functions/die.html">die</a>("You're not authorized!\n");

Examining source code brought the following line of code to my notice.

if ($User == 'BillGates')

So we have to check whether in perl Strings are compared with “==” syntax. From the list of perl comparators you will notice that Billy should have used eq instead of “==”.

So solution is:

if ($User eq 'BillGates')

Similar Posts:

• Basic web hacking 11 :: User Agents II
• JavaScript Challenge 13 :: Cookie
• Basic web hacking 12 :: include me in
• hack-test.com 7 :: examine source code
• How to use Netbeans and Google code

Mission introduction:

This site in run by a new sysadmin who does not know much about web configuration
The script is located at http://moo.com/moo.php

Attempt to make the script think you are authed by entering the correct URI.

Here is the script (me.php):

Script we have to exploit:

<?php
$user = $_GET['user'];
$pass = $_GET['pass'];
if (isAuthed($user,$pass))
{
$passed=TRUE;
}
if ($passed==TRUE)
{
echo 'you win';
}
?>
<form action="me.php" method="get">
<input type="text" name="user" />
<input type="password" name="pass" />
</form>
<?php
function isAuthed($a,$b)
{
return FALSE;
}
?>

Now notice that form is passing parameters trough get method. This means that if server is not configured correctly or using global variables we can change any other variable in the code by entering it in the URL. However, before we proceed we have to exam code.

Method isAuthed always returns FALSE.  Therefore we cannot enter combination of username and password that will authenticate us. The third variable $passed is in fact control variable. If this variable is set to TRUE we win. Now we have to figure out how to change URL to change variable passed to TRUE.

From introduction we know that script is located on: http://moo.com/moo.php so to pass variable trough GET we attach ?passed=somevalue. And passed will have value somevalue.

So the final URL is:

http://moo.com/moo.php?passed=TRUE

Similar Posts:

• hackthissite.org basic 2 :: password is not
• Basic web hacking 5 :: asterix the wildcard
• Keylogger in C# :: Hooking and unhooking keyboard hook
• Basic Web Hacking 1 :: Simple Enter Pass
• hackertest.net level 2 :: Analysis Sherlock

Notice in the introduction of the mission the very last line:

Often times you will need to decipher a language which you can not find on google, or is encrypted in some way
I have made up a language for you to decipher. This is slightly harder. What is the output of this program?
This is a REAL language with REAL rules. This is practice for obfustication or encrypted functions.

{user types 6,7}

Doesn’t it resambles call to function with parameters 6 and 7!

Now function would look like the following:

BEGIN F.ake
var int as in
int var as in
out var int

BEGIN F.ake is the beginning of the function execution.

var int as in represents assignment of first parameter to variable var

int var as in represents assignment of second parameter to variable int

out var int represents output of variables var and int in this case it is 67Similar Posts:

• hackthissite.org extbasic 3 :: Finda Fake 1
• hackthissite.org extbasic 6 :: Sucky Sysadmin
• hackertest.net level 1 :: Cover up basics
• hackertest.net level 2 :: Analysis Sherlock
• hackertest.net level 3 :: Same but different

Often times you will need to decipher a language which you can not find on google, or is encrypted in some way
I have made up a language for you to decipher. What is the output of this program?

Obscure source code we have to figure out is:

BEGIN notr.eal
CREATE int AS 2
DESTROY int AS 0
ANS var AS Create + TO
out TO

However you have to notice that it is not similar to any language you might know. Let’s anlyise it line by line of course the way I figure it out.

BEGIN notr.eal represents beginning of the function

CREATE int AS 2 as far as I see it is adding 2 to the variable int

DESTROY int AS 0 is adding 0 to the variable int

ANS var AS Create + TO reading the last value from the stack and that is 20 and passing it inverse to the variable TO which has now value 02

out TO is outputting 02 out.Similar Posts:

• hackthissite.org extbasic 4 :: Finda Fake 2
• hackertest.net level 1 :: Cover up basics
• hackthissite.org extbasic 6 :: Sucky Sysadmin
• JavaScript Challenge 7 :: Jump over
• hackthissite.org basic 2 :: password is not

In introduction:

You have this function, provide the value which must be POST-ed as filename to obtain the desired results:
Get the source code of hackthissite.org/index.php
here is the function:

We have to  find vulnerability in the following code:

So we have to find way to see code of the file on server. From the source code we may see that file to be opened is created merging strings using the name of the file and extension. So we have to enter correct name in the box to see file. Basically correct name is index since .php will be attached later in function call.

Now the problem is to solve how to traverse us into the root directory. We will do this by putting ../../ in front of the index. Since ../ returns us one directory back.

Because if you try to put anything in the box you will obtain URL similar to the following one:

http://www.hackthissite.org/missions/extbasic/template.php?lvl=2&pass=

So you may notice that we are in the directory missions/extbasic/. Using ../ will return us two directories back to root directory.

So final combined solution is:

../../index

Similar Posts:

• hackthissite.org basic 11 :: Music collection
• hackthissite.org basic 8 :: SSI
• hackthissite.org basic 9 :: tricky easy not
• Tutorials
• hackthissite.org Application 3 :: 127.0.0.1

Introduction is also fairly easy.

You have to give input to a C program which gives you the length of the string. How would you crash it?
here is the function:

void blah(char *str)
{
char lol[200];
strcpy(lol, str);
}


Now you have to understand some of C to understand this Here we have short function that accepts string as array of chars or to be exact pointer on the first character in the series.

First line of code defines new array with length of 200 characters.

Second line of code copies str array into lol array. However, if str array is longer then lol array program will crash. So you simply have to enter more then 200 characters into the text box and you will crash it.

Here is sample string with 201 characters

123451234512345123451234512345123451234512345123451234512345123451234512345123451234512345123451234512345123451234512345123451234512345123451234512345123451234512345123451234512345123451234512345123459

With regards,

AxSimilar Posts:

• Javascript Missions 3 :: Math time
• How to obtain get parameters from URL with javascript
• Keylogger in C# :: Saving content
• hackthissite.org extbasic 4 :: Finda Fake 2
• hack-test.com 3 :: link colour

hackthissite.org basic 1 :: password is

hackthissite.org basic 2 :: password is not

hackthissite.org basic 3 :: password.php

hackthissite.org basic 4 :: email to admin

hackthissite.org basic 5 :: email to admin II

hackthissite.org basic 6 :: encryption system

hackthissite.org basic 7 :: calendar is it!

hackthissite.org basic 8 :: SSI

hackthissite.org basic 9 :: tricky easy not

hackthissite.org basic 10 :: My cookie your cookie

hackthissite.org basic 11 :: Music collection

Have fun learning and solving missions.Similar Posts:

• Tutorials
• hackthissite.org basic 3 :: password.php
• hackthissite.org basic 11 :: Music collection
• hackthissite.org basic 7 :: calendar is it!
• Basic web hacking 7 :: double login

Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics.

Now when you open the first page you will receive message similar to this one:

I love my music! “Lovesick ” is the best!

Sooner or later you will figure out that all these songs are written by Elton John.

Next step for me was to try index.php since it basically is default web page, and in case it is not up on default settings we should see content of the web folder directory. If you enter following URL you will have ability to enter answer but what answer is we will find later on.

http://www.hackthissite.org/missions/basic/11/index.php

Now we have to find correct directory listings. And after drill down trough forums I found hint that one should do his abc’s. So after several attempts I managed to find out the following directory:

http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/

Another thing since there was nothing listed was to check .htaccess file.

http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/.htaccess

IndexIgnore DaAnswer.* .htaccess

order allow,deny
allow from all

From this file we are able to figure out that DaAnswer directory is hidden from directory structure. So let’s traverse to that directory. On the following URL:

http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/DaAnswer

You will find something similar to the following sentence:

The answer is somewhere close! Just look a little harder.

Notice that in this case answer is: somewhere close they were playing some trick on us.Similar Posts:

• hackthissite.org extbasic 2 :: Extension blocking
• Basic web hacking 12 :: include me in
• hackthissite.org basic 9 :: tricky easy not
• hackthissite.org basic 3 :: password.php
• hackthissite.org solutions to all basic missions

If you tried several things from previous hackthissite.org missions you probably figured that nothing will work here. So you came here to find new approach. And here it is! If you haven’t figured out from the very name of this mission what you should do is use cookies.

Cookies are small  chunks of data saved on your computer by remote server you are accessing. You can read more on provided web site.

Also I suggest using following tools to complete this mission.

First one is Firebug, highly usable development tool for firefox. Second one is Firecookie this one is extension on Firefox extension. So you’ll have to install both plugins.

Now when you are ready open firebug tab named cookies and refresh page of 10th mission. When you’ve done that search for cookie named: level10_authorized when you find this cookie you may notice that value it contains is No, so just double click on cookie name and change value to Yes and continue with any password.

You should be now authorized Similar Posts:

• JavaScript Challenge 13 :: Cookie
• Basic web hacking 7 :: double login
• Basic Web Hacking 13 :: Forgotten George
• Javascript Missions 7 :: JS Obfuscation. FTW!
• hackthissite.org basic 5 :: email to admin II