Hack This Site: Basic Web Challenges – Level 11

basic-11-header

Hello world and welcome to haxez where today we are solving Basic 11. This the final challenge in the Hack This Site Basic web series. The series as a whole has been fun and I recommend giving it a go. This challenge doesn’t require any form of exploitation. Instead, it relies on the user’s knowledge, whit, and exploration skills. It’s a bit of a cheeky challenge as the last part had me scratching my head for a bit. If you haven’t seen my previous posts in this series then you can do so here: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, and Part 9.

Hack This Site Basic 11
Hack This Site Basic 11

Navigating to the Basic 11 page shows a sentence that includes a song title. After a bit of research, it turns out that the song was sung by Elton John. Not knowing what to do with that information, I continued exploring the Web Application. The way I solved this challenge was to brute-force the directories. However, that isn’t the intended approach and would probably be frowned upon by the Hack This Site server admins. Sorry guys.

Basic 11 Elton John Song Titles
Elton John Song Titles

Exploring The Basic 11 Web Application – The Hard Way

The proper way to solve this challenge is to use your whit and deductive skills. We know the song was sung by Elton John so let’s see if there is an E directory.

Basic 11 L directory listing
L directory listing

The ‘e’ directory exists and even better, directory listing is enabled on the server. We can see that the next directory is the ‘l’ directory. I can see where this is going.

T directory listing
T directory listing

Tumbling, tumbling, tumbling further down the rabbit hole we go.

O Directory
O Directory

Almost there

N directory listing
N directory listing

One final directory to check and we will have the password.

Empty Directory Listing
Empty Directory Listing

Or not, after all that, the directory is empty. Or is it? dotfiles are hidden files on a Linux system. One particular dot file used within web environments is the .htaccess. If we navigate to the .htaccess file we can see the following data. Normally, .htaccess files are protected so they can’t be read by everyone. However, it looks like the file permissions are wrong on this one.

.htaccess File
.htaccess File

The .htaccess file shows some information, the most important part is the DaAnswer directory. We can append DaAnswer to the current URL and it produces the page below.

DaAnswer directory listing
Empty Directory Listing

I must admit that this had me scratching my head for a while. I viewed the source code, I checked other directories, I was stumped at this point but the answer was right in front of me. The sentence literally tells you the password. The answer is available. I can’t believe how long it took me to realize this. I feel that this is cheating slightly. With the password in hand, you can head to the /11/ directory followed by index.php. That should allow you to submit the password and complete the challenge.

Password Submission System
Password Submission System

Exploring The Application — The Easy Way

Normally once a challenge is complete I wouldn’t explore it further. However, I feel that I need to be honest about how I actually solved this challenge. I cheated. I was stumped on the song titles. As this challenge didn’t require any form of exploitation I didn’t know where to go next. I used a brute force tool to learn the location of the directories. The brute force tool also found the .htaccess file and the DaAnswer directory. I believe doing it this way was quicker than it would have been if I had done it manually.

Basic 11 Brute Forcing Directories
Brute Force Directories

That’s it from me. I have really enjoyed this series and can’t wait to start the realistic missions.