Hello everyone! Today, I'm going to finish up the "basic" challenges from HTS!
So for this challenge, you have to actually go back to basic 8, as that's where this operates from. Here, we need to use some more SSI, just like we did in basic 8, but this time, we need to use a little directory traversal (and maybe just some common sense). So we know we're in ../../8 right now, what if it's just sequential? Let's give it a try.
Looks like we have a winner! Navigate to that php file, and grab your password!
Don't let this challenge scare you away. You don't need to be a JS wizz in order to complete this. You do however, need to understand what a cookie is.
To begin with, I'm going to enter something in the password field to see how it handles the input. You can type whatever you'd like, I typed "letmein". Here was the response:
Yeah, we'll see about that... There are a few ways you can handle this, and the easiest (in my opinion) is through a Firefox extension called Cookie Manager. With this, I'm going to edit the properties of the cookies that this site gives when you attempt to authenticate. Notice there was no mention of a password file like the other challenges. So, go ahead and launch Cookie Manager:
You should be greeted with something like this:
See that bit that says "level10_authorized" and the "no" value next to it? You're going to use the edit button at the far right side to change that to a yes.
Once you save this value, go back to the page that told you you're unauthorized, and refresh the page. This will cause the site to query that cookie again, and from here, you should be done!
Basic 11 - End of Basic
We're finally to the end of the basic challenges on Hack This Site! By now you should have some basic familiarity with legacy (or poorly configured) web applications. Let's get started.
Okay, so for starters, when creating a web page, one thing that's hard to protect against is directory traversal. If you have something public facing, someone will find it. Let's check for an index page, at "/index".
That's interesting. Another song title. Let's google it... Elton John? From here, out of curiosity, I added ".php" to the end of "index", and got a password form! Let's give Dirbuster a spin to check for any other directories that may be available. You can use any list you want, most should be fine.
Dependent on your list and other settings, you'll eventually get some directories. One of those is "/e". Take a look. Eventually you'll spell out the rest of "elton". From here, some basic knowledge of apache helps. In apache, we have the option for a file called ".htaccess", this allows for quick configuration changes. Now let's see if that exists under "/e/l/t/o/n/".
Here, we have "DaAnswer.*" that looks interesting. Add "DaAnswer" to the end of "/e/l/t/o/n/". Don't let it fool you, the password is right in front of your face. They're literally telling you the password.
(password == somewhere)
Go back to 11/index.php and input the password you found (it will probably be different when you do it).
You're all done with the basic challenges, congratulations!! On to bigger and better things!