Hello world and welcome to haxez where today we are solving Basic 11. This the final challenge in the Hack This Site Basic web series. The series as a whole has been fun and I recommend giving it a go. This challenge doesn’t require any form of exploitation. Instead, it relies on the user’s knowledge, whit, and exploration skills. It’s a bit of a cheeky challenge as the last part had me scratching my head for a bit. If you haven’t seen my previous posts in this series then you can do so here: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, Part 8, and Part 9.
Navigating to the Basic 11 page shows a sentence that includes a song title. After a bit of research, it turns out that the song was sung by Elton John. Not knowing what to do with that information, I continued exploring the Web Application. The way I solved this challenge was to brute-force the directories. However, that isn’t the intended approach and would probably be frowned upon by the Hack This Site server admins. Sorry guys.
Exploring The Basic 11 Web Application – The Hard Way
The proper way to solve this challenge is to use your whit and deductive skills. We know the song was sung by Elton John so let’s see if there is an E directory.
The ‘e’ directory exists and even better, directory listing is enabled on the server. We can see that the next directory is the ‘l’ directory. I can see where this is going.
Tumbling, tumbling, tumbling further down the rabbit hole we go.
Almost there
One final directory to check and we will have the password.
Or not, after all that, the directory is empty. Or is it? dotfiles are hidden files on a Linux system. One particular dot file used within web environments is the .htaccess. If we navigate to the .htaccess file we can see the following data. Normally, .htaccess files are protected so they can’t be read by everyone. However, it looks like the file permissions are wrong on this one.
The .htaccess file shows some information, the most important part is the DaAnswer directory. We can append DaAnswer to the current URL and it produces the page below.
I must admit that this had me scratching my head for a while. I viewed the source code, I checked other directories, I was stumped at this point but the answer was right in front of me. The sentence literally tells you the password. The answer is available. I can’t believe how long it took me to realize this. I feel that this is cheating slightly. With the password in hand, you can head to the /11/ directory followed by index.php. That should allow you to submit the password and complete the challenge.
Exploring The Application — The Easy Way
Normally once a challenge is complete I wouldn’t explore it further. However, I feel that I need to be honest about how I actually solved this challenge. I cheated. I was stumped on the song titles. As this challenge didn’t require any form of exploitation I didn’t know where to go next. I used a brute force tool to learn the location of the directories. The brute force tool also found the .htaccess file and the DaAnswer directory. I believe doing it this way was quicker than it would have been if I had done it manually.
That’s it from me. I have really enjoyed this series and can’t wait to start the realistic missions.