Hello everyone! I solved all the basic missions on HackThisSite. I want to share with you how I solved it. I hope that it will be useful for you :)
- I clicked to view of source code in page. And I saw that there is password.
I clicked to submit button. And I logged in. Because coder did not define any password. He didn’t set any password. I logged in without any security mechanism.
-I clicked to view of source code in page. I saw that there is password.php directory.
- I visited this directory. And I saw that there is password.
- He assigned value in the Elements. I can change those element in the page.
-I changed with my Email.
-Then I saw this notification.
-Then I cheched my email box. And I saw that there is password reminder.
-I used BurpSuite to solve this problem. I intercepted data between server and user.
- Then I changed with my email.
- I released the data. Password reset message came to my mail.
I tried to encrypt 12345 and the encrypted string was 13579.
so by analyzing this, I got that
the first will be as it is
the second will be incremented by 1
the third will be incremented by 2
the fourth will be incremented by 3 and so on
- I checked in ASCEE table. And I found 4b5g7>=m password.
- This form is not secured. Indeed, I can inject commands in the date field. Try to enter “;ls -l”.
- -It will produce a calendar and the result of our command. We see a file named “k1kh31b1n55h.php”.
- -By calling this file in the url (http://www.hackthissite.org/missions/basic/7/k1kh31b1n55h.php), we get the password: 9e171498.
This time I had to inject the server, so writing
- Produces a file containing au12ha39vc.php.
- -Add this file in the URL to discover the password: .
-I have to back to challenge 8' page
and inject this “<! — #exec cmd=”ls ../../9” — ->”
-The result of the previous command is as shown in the picture below
-Go to p91e283zc3.php, and I found the password.
I intercepted cookie. I saw that level_authorized is No.
- I changed with “yes” this value.
- First I give the url and search for files with .php extension in online directory scanner.
- -So, I have found a file.Now visit it as:
- There is our login page.still we are stuck!we don’t have the password or any hint in the source code of this page. Lets run another scan on the URL Fuzzer ,this time for directories
- There are two possible directories. first we try /index/ ..but it seems no change it shows a new line .
- Now, try /e/
- Found a new directory in it.
- /l/ ,and there are more directories /t/,/o/,/n/
- in the end we are on a blank page,with just link to parent directory.
- We know Sam uses Apache in this website so he must have used .htaccess file so i tried to check if .htaccess exist in this directory.Yes it is!
- When you open the .htaccess file
HTACCESS FILE CONTAIN:
- Here DaAnswer seems suspicious! so lets try it ! add DaAnswer after e/l/t/o/n/
- when added DaAnswer,it automatically turned to .txt
- Inside that this line was found:
- The answer is right here! Just look a little harder.
- Then I logged with this password in index.php . İt is done!