As usual,
the first three levels are been ignored, because they are just very simple.
Level 4:
1、Click 'Send password to Sam' button, We
will see information like this:Password reminder
successfully sent.
2、In level4 home page, we use f12 to view
source code to see that how Sam to send password, and found this:<input type="hidden"
name="to" value="webmaster@hulla-balloo.com">. So, just modify the email address to
your own email, and click button to send password. We can see the password in
web page. Done.
Summary:
In this training, you should know how to view source of web page.
Level5:
Just like
level4.
Level6:
1、Input some thing to the text box, such
as abc123, and result is ace468. OK, we found that a->a, b->c,
c->e … Increasing is 0, 1, 2…
2、Decrypt 74ceggki. Done.
Level7:
1、We can see that Sam use UNIX cal command
to execute and return something, so input command like this:
2013;ls
|
You will
find password file. Done.
Summary:
In this training, you should know some knowledge about command injection and
UNIX commands.
Level8:
The
problem is that how to find password file by submitting something, but don't
find any clue.
To be
Done.
Level9:
To be
Done.
Level10:
1、View source code, but found nothing
useful.
2、Input anything and click submit button,
we saw message like this:
You
are not authorized to view this page. Since there is no
any login function, how did it to validate authorization? Maybe we should see
cookie, and found an interest thing:
level10_authorized=no;
path=/missions/basic/10/;domain=www.hackthissite.org
3、Intercept submit request, modify level10_authorized=no to level10_authorized=yes
and submit. Done.
Summary: In this training, you should know something
about authorization and Cookie.
Level11:
1、When open the page, we can find nothing
but something like this:
I love my music!
"Believe " is the best!
This is
useless for us. Can we find something useful? Again, we view source code, but
this time we are unfortunately because we only find a comment like this:
<!--We even have
our own collection - if you could find it!-->
2、It seemed that the only useful things we
got are Apache and collection. When open
the page again, I found that message is changed to:
I love my music!
"I Feel Like a Bullet (In the Gun of Robert Ford)" is the best!
So
refresh the page, found that the message is changed again:
I love my music! "Georgia " is the best!
I love my music!
"I Need You to Turn To" is the best!
How to find the so-called collection?
3、Search these music in google and try to find some clues, and found that they all from Elton John! Maybe this is the collection. So we
tyr to use directory listing like: /eltonjohn/. But fail again. /johnelton/?
Fail again. /john/?/elton/? /j/? /e/?
Found the
collection!
To be
done!
Basic
missions end.
Realistic
missions:
Level1:
Message:
From:
HeavyMetalRyan
Message:
Hey man, I need a big favour from you. Remember that website I showed you once
before? Uncle Arnold's Band Review Page? Well, a long time ago I made a $500
bet with a friend that my band would be at the top of the list by the end of
the year. Well, as you already know, two of my band members have died in a
horrendous car accident... but this ass hole still insists that the bet is on!
I know
you're good with computers and stuff, so I was wondering, is there any way for
you to hack this website and make my band on the top of the list? My band is
Raging Inferno. Thanks a lot, man!
Solution:
View
source code and tamper the rate data to a big number such as 1000.
Done.
Level2:
Message:
From: DestroyFascism
Message: I have been
informed that you have quite admirable hacking skills. Well, this racist hate
group is using their website to organize a mass gathering of ignorant racist
bastards. We cannot allow such bigoted aggression to happen. If you can gain access
to their administrator page and post messages to their main page, we would be
eternally grateful.
Solution:
View
source code, and find update.php. Open it in browser and login page display. Of
course, have a try to use SQL injection in username input, failed, password?
Done
Level3:
Message:
From: PeacePoetry
Message: I run this
website where people can read and submit peace-related poetry. I am doing this
out of good will towards others, and I don't see why I would be making enemies
out of this, but some real ass hole hacked my website posting a bunch of ignorant
aggressive propaganda on the front page. And I made that website a while ago,
and I no longer have access to it. Do you think you can hack in and change it
back? Please? Oh, and bonus points if you message me the name of the bastard
who did this!
My website can be
found here.
Solution:
View
source code, and find this:
<!--Note to the
webmasterThis website has been hacked, but not totally destroyed. The old
website is still up. I simply copied the old index.html file to oldindex.html
and remade this one. Sorry about the inconvenience.-->
So visit
oldindex.html, and access to the old web site. There are two function: read and
submit poetry. Try to use index.html as the poetry name and submit, failed…
To be
Done.
