Hack This Site: Basic Web Challenges – Level 11

Hack This Site Basic Web Challenge 11

This is the final challenge in the Hack This Site Basic web series. The series as a whole has been fun and I recommend giving it a go. This challenge doesn’t require any form of exploitation. Instead, it relies on the user’s knowledge, whit, and exploration skills. It’s a bit of a cheeky challenge as the last part had me scratching my head for a bit. If you haven’t seen my previous posts in this series then you can do so here: Part 1Part 2Part 3Part 4Part 5Part 6Part 7Part 8, and Part 9.

Hack This Site Basic Web 11
Hack This Site Basic 11

Navigating to the Basic 11 page shows a sentence that includes a song title. After a bit of research, it turns out that the song was sung by Elton John. Not knowing what to do with that information, I continued exploring the Web Application. The way I solved this challenge was to brute-force the directories. However, that isn’t the intended approach and would probably be frowned upon by the Hack This Site server admins. Sorry guys.

Web Application Song Lyrics
Web Application Song Titles

Exploring The Web Application – The Hard Way

The proper way to solve this challenge is to use your whit and deductive skills. We know the song was sung by Elton John so let’s see if there is an E directory.

Web Directory 'e'
Web Application ‘e’ Directory

The ‘e’ directory exists and even better, directory listing is enabled on the server. We can see that the next directory is the ‘l’ directory. I can see where this is going.

Web Directory 'l'
Web Application ‘l’ Directory

Tumbling, tumbling, tumbling further down the rabbit hole we go.

Web Directory 't'
‘t’ Directory

Almost there

Directory 'o'
‘o’ Directory

One final directory to check and we will have the password.

'n' Directory
‘n’ Directory

Or not, after all that, the directory is empty. Or is it? dotfiles are hidden files on a Linux system. One particular dot file used within web environments is the .htaccess. If we navigate to the .htaccess file we can see the following data. Normally, .htaccess files are protected so they can’t be read by everyone. However, it looks like the file permissions are wrong on this one.

.htaccess file
The .htaccess File

The .htaccess file shows some information, the most important part is the DaAnswer directory. We can append DaAnswer to the current URL and it produces the page below.

DaAnswer Directory
DaAnswer Directory

I must admit that this had me scratching my head for a while. I viewed the source code, I checked other directories, I was stumped at this point but the answer was right in front of me. The sentence literally tells you the password. The answer is available. I can’t believe how long it took me to realize this. I feel that this is cheating slightly. With the password in hand, you can head to the /11/ directory followed by index.php. That should allow you to submit the password and complete the challenge.

Password Submission System
Password Submission System

Exploring The Application – The Easy Way

Normally once a challenge is complete I wouldn’t explore it further. However, I feel that I need to be honest about how I actually solved this challenge. I cheated. I was stumped on the song titles. As this challenge didn’t require any form of exploitation I didn’t know where to go next. I used a brute force tool to learn the location of the directories. The brute force tool also found the .htaccess file and the DaAnswer directory. I believe doing it this way was quicker than it would have been if I had done it manually.

That’s it from me. I have really enjoyed this series and can’t wait to start the realistic missions.