Hack This Site: Javascript Mission – Level 6

Introduction

Hello friends and welcome to HaXeZ, today we’re going to solve Javascript Mission 6 on Hack This Site. This challenge isn’t too difficult provided you pay attention to the details. The mission takes the script from a previous mission and attempts to distract you with it. However, hidden on another page of the application is the correct script that is being used to authenticate.

go go away .js
go go away .js

The Mission

Navigating to the mission we see the expected password submission form. However, instead of Faith, this time we have a message saying that Fiftysixer has decided to try creating some Javascript. It explains that he forgot to remove the previous code. This has made the new code more confusing but apparently, Fiftysixer likes it that way. We can submit test data to the form but we get an incorrect error message.

The mission
The mission

The Javascript

If we view the Javascript we can see that it looks a lot like the script we had for a previous mission. This script tried to trick us by comparing a variable with a string rather than assigning the string to the variable. The solution to that mission was ‘moo'. However, if we submit ‘moo‘ to the password form, we still get an incorrect error message. Notably, there is a link to what appears to be another Javascript file called checkpass.js. Furthermore, the name suggests that it may have something to do with the password checking functionality.

The Javascript
The Javascript

The Real Javascript

If we navigate to the script in the URL we can see that it does appear to be the correct script for checking the password. As you can see from the image below, the javascript is declaring three variables and assigning them values.

dairycow="moo";
moo = "pwns";
rawr = "moo";

I’m not too familiar with Javascript syntax but I wonder whether the lack of spaces in the declaration of ‘dairycow‘ is significant in any way. After the variable declaration, we have a function to check the password. It states that if the value submitted by the user is the same as the value of ‘rawr‘ and ‘moo‘ then we win. If not then we lose. It is important to note that there are also speech marks between ‘rawr‘ and ‘moo‘ so we need to ensure that we have a space in our submission.

The Real Javascript
The Real Javascript

The Solution

So that’s all we need to do to solve the mission. Submit ‘moo pwns‘ as the password and you should complete the mission. Congratulations.

The Solution
The Solution