Web Archives - Page 10 of 10

Hack This Site: Basic Web Challenges – Level 4

Posted on January 10, 2025January 10, 2025 by haxez

Hello world and welcome to haxez, in this post we are looking at Hack This Site Basic Web Challenge Level 4. If you haven’t read through my previous posts in this series then you can find them here: Part 1, Part 2 and Part 3. This challenge requires the user to have some knowledge of HTML. The objective of this challenge is to recover the password however sneaky Sam has added an email script to the application.

Viewing The Basic 4 Web App

After logging in to Hack This Site and navigating to the basic web challenge level 4, you will be presented with the screen below. The text reads as follows “This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:”

Inspecting The Basic 4 Web Page Source

The concept behind this is simple, if Sam needs the password he will press the button and email it to himself. We need to manipulate the script so that the password is sent to us instead of Sam. To do that we need to view the web page source and see what the script is doing. The screenshot below shows that the email address [email protected] is being posted to level4.php when the button is clicked.

Modifying The Basic 4 Page

We can modify the page source directly through developer mode. By double-clicking the current email address, we can replace it with our own. Once we have changed the email address we can click the “Send password to Sam” button and it will send the password to our email address.

Submitting The Web Request

After clicking submit go and check your mailbox to see if the password has arrived. The email will be from [email protected] and will contain the password. If you open the email you should be able to copy the password and paste it into the password submission system.

Congratulations, web 4 complete — Congratulations

This was a fun challenge that teaches a valuable lesson about hardcoding passwords or other credentials within applications. If the code is rendered client-side then no sensitive information should be included in the code.

Hack This Site: Basic Web Challenges – Level 3

Posted on January 9, 2025January 9, 2025 by haxez

Hello world and welcome to haxez, in this post we will be taking on the Hack This Site basic 3 web challenge. Hack This Site is a great location to learn web application security. In fact, It is the first website where I started my hacking journey. This challenge involves some knowledge of how web applications are structure. Most web applications use a hierarchical layering whereby. As a result, the first page you find will tend to be in the first directory. Then, the sub directories may contain other information. For instance, if I wanted to access the about section of a web application I would visit https://haxez.org/about/ where haxez.org is the root and about is a page.

After logging in to the site and navigating to the basic challenges. Select level 3. It will say the following.

“This time Network Security Sam remembered to upload the password file, but there were deeper problems than that”.

The blurbs of text try to give us a clue about how to solve the challenge. On this particular challenge the word deeper stuck out to me. What could they mean by going deeper? These challenges were out before the movie inception so it can’t be a reference to that.

Solving Basic 3

By going deeper in the directory structure or the file path structure, the user should be able to retrieve the password. By visiting https://www.hackthissite.org/missions/basic/3/password.php and viewing the page source you should be able to retrieve the password.

This is a good example of what to look for in web application tests and how easy things can be overlooked. By mapping out the directory structure you not only get a clearer picture on how the application works, but you also might find something interesting like login pages, sitemaps or robots.txt files with sensitive information.

Thats all for now, see you next time.

Hack This Site: Basic Web Challenges – Level 2

Posted on January 9, 2025January 9, 2025 by haxez

Hello world and welcome to haxez, today we are going to be looking at the basic web challenge level 2 on Hack This Site. Hack This Site is a website that allows you to test out your web application security skill by taking on various challenges. If you haven’t already done so, go and check my post on Level 1.

After logging in to Hack This Site, navigate to the basic challenges and select level 2. You should see the following image. These challenges are fairly simple and should only require a basic knowledge of web application security testing. The first challenge only required you to view the page source of the application to solve it. This challenge is no different.

It says “Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file…”

Solving HTS Basic 2

So what this means is that there is no password file to check the user submitted password against. One would hope that this would mean it was an automatic failure. Unfortunately not, if you are entering nothing, and comparing it to nothing then it’s going to be correct.

So, As there is no password file, there is no password to check so submitting the form with an empty password will be authenticated.

Congratulations, you have just completed level 2.

This challenge may seem a bit silly but you would be surprised at how often simple things are overlooked with authentication mechanics and access control restrictions. When testing a web application, always go through and test without usernames and passwords, default credentials and commonly used credentials. Anyway, thats all for this post. I hope it helped you solve it and move on to the next one.

Hack This Site: Basic Web Challenges – Level 1

Posted on January 9, 2025January 9, 2025 by haxez

Hello world and welcome to haxez. This post is about web hacking and walks through the basic challenge level 1 on Hack This Site. This is a short and sweet article today as I’m going away for the weekend. This challenge is fairly easy even for the less computer literate. The purpose of this challenge is to get the user to view the source code of the application in order to retrieve the poorly hidden password. After creating an account and logging in, head over to the basic challenges and go to basic challenge 1. You should be greeted with a screen like the one below.

Basic 1 Page Source

This challenge is a basic challenge that asks you find the hidden password for the input box on the page. One of the most fundamental skills in web application testing is to view the page source. This can easily be achieved by right clicking on the page and selecting view page source from the context menu. Once you have the page source window open, you should see a lot of code.

You can manually look through the code or you can hit control and F and that should bring up the search box. Once the search box is up, you should be able to search for the word password and the search facility should automatically jump you to the section of code that contains the password.

Hack This Site basic 1 search for password — Hack This Site searching for password

As you can see from the snippet of code below, you should be able to retrieve the password and submit it to the application. The password is 0c620cce.

Congratulations, you have completed Basic challenge 1. I know this one was very easy but I love Hack This Site and didn’t feel that my blog would be complete without it.