Hello world and welcome to haxez, in this post we will be taking on the Hack This Site basic 3 web challenge. Hack This Site is a great location to learn web application security. In fact, It is the first website where I started my hacking journey. This challenge involves some knowledge of how web applications are structure. Most web applications use a hierarchical layering whereby. As a result, the first page you find will tend to be in the first directory. Then, the sub directories may contain other information. For instance, if I wanted to access the about section of a web application I would visit https://haxez.org/about/ where haxez.org is the root and about is a page.
After logging in to the site and navigating to the basic challenges. Select level 3. It will say the following.
“This time Network Security Sam remembered to upload the password file, but there were deeper problems than that”.
The blurbs of text try to give us a clue about how to solve the challenge. On this particular challenge the word deeper stuck out to me. What could they mean by going deeper? These challenges were out before the movie inception so it can’t be a reference to that.
Solving Basic 3
By going deeper in the directory structure or the file path structure, the user should be able to retrieve the password. By visiting https://www.hackthissite.org/missions/basic/3/password.php and viewing the page source you should be able to retrieve the password.
This is a good example of what to look for in web application tests and how easy things can be overlooked. By mapping out the directory structure you not only get a clearer picture on how the application works, but you also might find something interesting like login pages, sitemaps or robots.txt files with sensitive information.
Thats all for now, see you next time.