Hack This Site - Basic Challenges - Guide

Hack This Site - Basic Challenges (all 10) guide (not walkthrough!)

 Introduction

The internet is full of walk-throughs and guides that give you the solution. I could write those, but that takes away from your sense of victory. Rather than a “this is how you do it” I will write hints and “this is how this concept works”. So let's begin..

RANT: I'm going to repeat this over and over again but, there is no short cut into cyber security and if you think I'm going to give you a guide you can flick through in half an hour and you can hack NASA that is a million miles from reality. To actually exploit a real world system you first need to understand the workings of that technology enough to guess what the developers did. You might get lucky with a metasploitable service, but I can almost 100% guarantee (unless you got there first in a bug bounty) you will get caught. Basically, study hard, do not break the law and most importantly, stop looking for short cuts. Always make sure you only target either your own machines or one you have permission for and if you don't understand fully how to ensure you hit the right target, do not launch even an nmap scan.

Any way hack this site has some really cool, simple enough challenges we can do with just a web browser, so lets do them!

The Guide

Basic 1 - OK, this is called the idiot test so I don’t have any guidance here. You’re on your own for this one. 

On a completely unrelated note, something I’ve seen a lot of students do and it’s really bad practice is store creds in comments in code. The issue is, forgetting to remove the comments. It’s maybe worse than forgetting to change from default creds.

Basic 2 - This is a great one because it highlights that you need to first understand how the system works before you can exploit it. 

I’ll expand on what the task says. When the submit button is clicked, it will compare the input to the content of the file… that Sam… HINT: It's far easier than you think and if you get stuck sometimes just clicking stuff works.

Basic 3 - We can use the URL bar to try to navigate to any page. Inspect element is our friend.

Basic 4 - PHP runs server side which enables the devs to hide what's actually happening to the user. Sam should have hard coded his email into the PHP, then we’d never see it, but he hasn’t. 

Hint: having his email address is relevant, we don’t care what his email is. Hint 2: When HTML submits data to PHP its passing values to variables in code that's then executed to perform whatever function.. This is how code injection works, but you don’t want to inject code.

Basic 5 - Sometimes dev’s think they’ve fixed a problem and they haven’t. This is why its important to learn how the hack works so when you do patch systems, the patches actually work!

Basic 6 - encrypt a lot of a’s (aaaaaaaaaaaaa) and use this..

HINT: The encrypted password (for me but I'm told its random for everyone) is 07c9i6:8 first decrypted digit is 0, the second is 6

Basic 7 - This is some basic code injection. A semicolon ends a line of code. In other unrelated news, ls lists the content of a directory in linux. Then add the file to the end of the URL.

Basic 8 - This is a server side include attack, see here. Remember you’re looking for a PHP file.

If you manage to get this..

Well done, I should now mention that to go up a directory use ../ (that’s up one, ../../ is up two etc.)

Basic 9 - after the domain name of the URL, it's a path/a file structure on the server. HINT: modify what you just did. HINT 2: with a number.

Basic 10 - Sometimes we don’t even need a password.. It’s all about cookies! There’s a few ways I can think of doing this, if you want to fire up a kali box, go ahead and intercept but this can be done in the browser. HINT: browser extensions like “EditThisCookie”, for chrome, make cookie editing very easy in the dev tools.

Conclusion

So all of these can be done in the browser so no specialist tools are needed but they do need some knowledge of how web technologies (even if basic) work. But, assuming you didn’t cheat,  how good does exploiting stuff (legally) feel?! 

Going ahead I will cover the realistic challenges and move onto some VM’s and web apps. Small chance I’ll cover wireless attacks because my students are likely to not listen to the safety stuff and de-auth their friends! Maybe I can implement a disclaimer/terms of sorts. But this is supposed to be a blog post and it’s in a google doc because I haven’t worked out how I’m building the website yet.