Welcome back to my series on the Hack This Site Basic Web Challenges. Today we are looking at basic challenge level 5. If you haven’t read my other posts in the series, you can do so here: Part 1, Part 2, Part 3 and Part 4. This challenge is similar to part 4. We need to modify the Send password to Sam request in order to change his email to our email. However this time I’m going to use a different method of doing so.
Once you have logged in, navigate to the Basic 5 challenge and you will see the screen below. This is the same as part 4, there is a password submission box and a Send password to Sam button. You can test the button by clicking it. The application should tell you that it has sent the password to Sam.
Intercepting The Web Request
However, instead of modifying the request directly in the source code. We are going to use the Burp Suite web proxy. Burp Suite is a web proxy that allows you to intercept and modify requests. It has its own version of Chromium built-in which means you don’t have to change your browser’s proxy settings. Ensure you have intercept set to on, then in the built-in browser click the Send password to Sam button.
Navigate back to the Burp Suite client and you will see that the request has been intercepted by Burp. The request is a POST request that is sending the value of the “to” parameter ([email protected]) to level5.php. This is how the email is sent to Sam.
Modifying The Request
With the request captured, it can now be modified and changed to your own address. The address you use has to be the one associated with the Hack This Site account or it won’t work. Change the address and click forward, then forward any subsequent requests after that.
Once the request is forwarded, the website should notify you that an email has been sent to your email address.
Forwarding The Web Request
If you go and check the mailbox that you used, you should see a new email from [email protected] The email will contain the password required to solve the level. Copy the password and head back to the website and paste it into the submission system.
Congratulations, you have now completed level 5.
Please feel free to watch my video on this challenge below.