Welcome back! This time, we're going to go over some more of the basic challenges over on Hack This Site!
This one is basically the same as basic 4, you're gonna take a look at the code for the webpage, and then replace Sam's email with yours. The program is supposed to more secure through referer validation, but it still isn't secure enough to protect from this simple "hack". So long as you use your HTS email, you should get the password and then see the following upon submission:
Now we start getting into some pretty interesting stuff. Let's play with the field to encrypt a string here. I'm going to use the "encrypted password" and pass it through, just to see what happens.
Look at that! The first character remained the same.. but wait, the 2nd character increased in value by 1.. and the 3rd increased by two?? But what if.. Hm.
Yes, I was right. The first digit remains the same, the 2nd increases by 1, 3rd by 2, 4th by 3, and so on.. (you could also think of it the terms of an array, postition 0= + 0, position 1 = + 1, etc). But where are these symbols coming from? They're ASCII characters. You'll use the "char column" in an ASCII chart such as the one below, and just move down a position to find the value you're looking for: f to e, 8 to 7, etc..
For my decrypted password, I got "f5166ba5". Note that yours will be different as your encrypted password will be different. From here just submit and move on!
And oh man, Sam... You messed up bud.
Go ahead and navigate to that php file with your browser and you'll get your password to move on to the next challenge.
Let's try a couple of commands using SSI. First, I'm going to take a look at what's in the current directory with "<!--#exec cmd="ls"-- >
Hmmm.. I don't see anything that stands out from this. Let's see what directory we're actually in, we'll do this with "<!--#exec cmd="pwd" -->"
Well.. Looks like we aren't supposed to know where we are.. (although, it does tell you in the URL bar)
Hmmm... Let's just try to see what's in the root directory. We'll do this with "<!--#exec cmd="ls .." -->"
That looks like success to me! Go ahead and navigate to that first .php file and you'll get your password to move on!
That's it for today! I hope you enjoyed it! Next time, keep your eye out for a way on to the Easter egg page.