Hack This Site: Basic Web Challenges – Level 3

Hack This Site Basic Web 3

Back again with another Hack This Site article, please check out my other posts in this series part 1 and part 2. This time we are taking on the basic web challenge level 3. This challenge involves some knowledge of how web applications are structure. Most web applications use a hierarchical layering whereby the first page you find will tend to be in the first directory. Then sub directories may contain other information. For instance if I wanted to access the about section of a web application I would visit https://haxez.org/about/ where haxez.org is the root and about is a page.

Basic web level 3
Basic web level 3

After logging in to the site and navigating to the basic challenges. Select level 3. It will say the following.

“This time Network Security Sam remembered to upload the password file, but there were deeper problems than that”.

Hack This Site Basic Web Challenge Level 3 Password Submission
Hack This Site Basic Web Challenge Level 3 Password Submission

The blurbs of text try to give us a clue about how to solve the challenge. On this particular challenge the word deeper stuck out to me. What could they mean by going deeper? These challenges were out before the movie inception so it can’t be a reference to that.

By going deeper in the directory structure or the file path structure, the user should be able to retrieve the password. By visiting https://www.hackthissite.org/missions/basic/3/password.php and viewing the page source you should be able to retrieve the location of the password.

Hack This Site Web Page Source Password.php
Hack This Site Web Page Source Password.php

Navigating to the password.php file in your browsers URL should bring up a blank page. However viewing the page source of that page should show you a string of numbers and letters.

Password.php web page showing password
Password.php web page showing password

Copying the password and pressing back to go back to the password submission page will allow you to submit the password and complete the challenge.

You have completed basic web level 3
You have completed basic web level 3

This is a good example of what to look for in web application tests and how easy things can be overlooked. By mapping out the directory structure you not only get a clearer picture on how the application works, but you also might find something interesting like login pages, sitemaps or robots.txt files with sensitive information.

Thats all for now, see you next time.