Today we are looking at Hack This Site Realistic Mission number 3. This mission requires knowledge of website structures and how web forms work. To summarise, It’s a fun mission but some of the syntax is incorrect unless I’m mistaken. If you haven’t seen my other posts are the realistic series you can do so here: Part 1, and Part 2.
Upon navigating to realistic mission 4, you are greeted with the following message from PeacePoetry. The message explains that she has built her own site to submit and share peace-related poetry. However, someone has hacked her website and posted pro-war propaganda. She has asked whether we can hack her website to restore the original content.
Exploring The Website
Upon visiting the website, we’re presented with a title that says the page has been hacked. There is a picture of a majestic and patriotic eagle. The website doesn’t have much functionality other than that.
As there isn’t much going on at the surface level, let’s dig a little deeper and see what is going on in the page source. The image below shows the page source and that the hackers kindly left a message to inform us where the old site was located. The old site can be found at oldindex.html.
Navigating to oldindex.html, we find the original website. It has a bit of dynamic functionality that allows you to submit and read poems. The Poem submission system appears to write the poems directly to the directory where the website is located. We can use the Poem submission system to restore the hacked website.
Restore Website Hack
If you head back to the oldindex.html page, you can view the page source. Select all of the page source and copy it to your clipboard or save it in a notepad document. Once you have it copied, head back to the poem submission system.
Paste the page source for the oldindex.html page into the Poem content box. In addition, name your Poem ../index.html. I’m not sure why we need to step up a directory to overwrite the current index.html page. Looking through the website content, everything appears to be stored in the /3/ directory. It shouldn’t require directory traversal to overwrite the page. I digress, with the name of the poem as ../index.html, it should overwrite the currently hacked index.html with the page source of the original website. This won’t fix the vulnerability. However, it will bring the old site back as the primary page.
Clicking submit will solve the challenge