LEVEL 1

This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue.

• The password can be found by inspecting the source code of the challenge itself.

<!-- the first few levels are extremely easy: password is {REDACTED} -->

LEVEL 2

Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file...

• Since the file is missing… we can login with no password.

LEVEL 3

This time Network Security Sam remembered to upload the password file, but there were deeper problems than that.

• In the source code of the login form, we find the following line

<input type="hidden" name="file" value="password.php">

• By navigating to https://www.hackthissite.org/missions/basic/3/password.php, we can read the password in clear text.

LEVEL 4

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:

<input type="hidden" name="to" value="[email protected]">

• So I was thinking that if we can intercept this request, we could modify the email to which the password is sent.

POST /missions/basic/4/level4.php HTTP/2
Host: www.hackthissite.org
Cookie: HackThisSite=8kbga1v5iuqm1p6am1fadpef81
Content-Length: 25
...

to=yikaka1041%40bitofee.com

• I’ve used a temporary email address from https://temp-mail.org/

**Password reminder successfully sent to [email protected]_**

(Note: If this is not the email address on your HackThisSite profile, no email will actually be sent.)

• So I’ve repeted the steps and used my actual email used when the account was created.

Your password reminder
[email protected]

10:47 PM (1 minute ago)

Sam,
Here is the password: '{REDACTED}'.

LEVEL 5

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

• I got the password using the EXACTLY same steps used at Level 4.

Sam,
Here is the password: '{REDACTED}'.

LEVEL 6

Network Security Sam has encrypted his password. The encryption system is publically available and can be accessed with this form

You have recovered his encrypted password. It is: 72hi6j>;

• We’re provided a form that encrypts given text using the following rule

• First character, is shifted 0 times to the right. (remains the same)

• Second character is shifted 1 time to the right (Eg: A becomes B)

• Third character is shifted 2 times to the right (Eg: A becomes C)

• And so on.

• As a general rule, each resulted character’s ASCII code is calculated like this

result_ASCII = current_char_ASCII + current_char_index - 1 # if counting from 1
result_ASCII = current_char_ASCII + current_char_index     # if counting from 0

• Alright. So we know his encrypted password. Now we have to do the reverse process of this encryption to reveal the plaintext password.

• I’ve used the ASCII table and the logic above.

POS:	0	1	2	3	4	5	6	7
CHR:	7	2	h	i	6	j	>	;

• 7 is on position 0, so it’s shifted 0 times to the right. The initial character must be 7.

• 2 is on position 1, so it’s shifted 1 time to the right. The initial character must be 1.

• h is shifted 2 times => ASCII(h) - 2 => f

• i is shifted 3 times => ASCII(i) - 3 => f

• 6 is shifted 4 times => ASCII(6) - 4 => 2

• j is shifted 5 times => ASCII(j) - 5 => e

… and so on.

LEVEL 7

This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script

• Alright, if we input any year, we get the calendar for that particular year.

• If we input another command, it doesn’t output anything.

• However, if we do something like 2000;ls, after the calendar for the year 2000 is printed, the ls command is also executed.

       December 2000
Mon Tue Wed Thu Fri Sat Sun
                  1   2   3
  4   5   6   7   8   9  10
 11  12  13  14  15  16  17
 18  19  20  21  22  23  24
 25  26  27  28  29  30  31


index.php
level7.php
cal.pl
.
..
k{REDACTED}h.php

• The password is in the .php file which can be accesed by going to /missions/basic/7/{REDACTED}.php

LEVEL 8

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security.
She recently learned about saving files, and she wrote a script to demonstrate her ability.

• I’ve managed to exploit this using SSI Injection. More details can be found here.

• If we use the <!--#exec cmd="ls" --> payload that is shown on the website, we are able to get the files in the current directory, which is /tmp. However, we need to list the files in the previous directory, so we end up with the following payload

<!--#exec cmd="ls .." -->

Hi, {REDACTED}.php index.php level8.php tmp! Your name contains 39 characters.

• Grab the flag by navigating to the .php file.

TIP: In this scenario, the presence of SSI is indicated by .shtml files.

LEVEL 9

Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it.

• Using the script in Level 8 and a similar payload: <!--#exec cmd="ls ../../9" -->

LEVEL 10

• We’re asked for a password, but no indications are given. I tried something random and I’ve got

You are not authorized to view this page

• So I’ve took a look in the Cookies and I found level10_authorized set to no.
• I’ve set it to yes and refreshed the page.

LEVEL 11

Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics.

• I refreshed the page several times and I noticed that the song name is changing.

• Couldn’t find anything relevant, so I’ve decided to google the names.

• The only thing I found in common was that all songs were performed by Elton John, so I’ve tried to navigate to /elton, /eltonjohn, ej, je, e, and other possible combinations.

• I had luck with /e with lead to /l, then /t, /o and /n.

• I’ve spent some time reading about Apache and I found out that .htaccess files can be placed inside directories to make configurations on a per-directory basis, so I’ve tried /e/.htaccess, /l/.htaccess and so on.

• I could navigate to /e/l/t/o/n/.htaccess.

IndexIgnore DaAnswer.* .htaccess
<Files .htaccess>
require all granted
</Files>

• We see that the indexing is ignoring the DaAnswer endpoint.

https://www.hackthissite.org/missions/basic/11/e/l/t/o/n/DaAnswer

• The answer is {REDACTED}! Just look a little harder.

TIP: The password was the word after is, even if it looked like a normal sentence.