HackThisSite

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

HackThisSite is a free training platform to test and develop hacking skills. The philosophy of this site is that all people should have free access to information and hacking should not be a skill mastered by a minority. The core of this website are the challenges. These are divided into different difficulty levels and approaches. In order to complete the missions/challenges, a user must be created. On the website you will find different areas:

  • Basic Missions: Beginner missions that cover basic vulnerabilities such as password search and server side include.
  • Realistic Missions: Scenarios that simulate real-world web applications and offer more complex challenges.
  • Application Challenges: Missions that focus on vulnerabilities in programs and scripts.
  • Programming Missions: Exercises for the development of secure program codes.
  • Community: A forum and chat areas to share experiences and get tips.

To show how the website works, two basic and one realistic mission are presented below. It is explained step by step how to approach this task and how it is solved.

Example Basic Mission

All tasks in Basic have the requirement that you have to find a password. There is always a task text to help you solve the challenge.

Basic 7

After entering a year, this task displays a calendar divided into months. These are structured according to calendar weeks.

Basic Mission 7 Picture 1

Basic Mission 7 Picture 2

The web server is UNIX-based, as the information has told us. This means that the known commands are available to us if the web server is not secured accordingly. If we now enter a year and ";ls" in the input field, we get the following result:

Basic Mission 7 Picture 3

The server now executes the actual function for generating the calendar and then the transmitted “ls” command. We can now see which files are present in the directory. The file “k1kh31b1n55h.php” contains the password for solving this challenge. Now all you have to do is enter the password in the input field and the task is solved.

Basic 9

In this example, the password is to be entered again. There is no input field available for a command. However, you can use the input fields from other challenges to get the password for basic task 9.

Basic Mission 9 Picture 1

In mission 8, the two commands listed below can be entered to open the files for mission 9 in a new tab. Now you only need to enter the password in the input field and this task is complete.

Basic Mission 9 Picture 2

Basic Mission 9 Picture 3

Example Realistic Mission

In the realistic missions there are different levels of difficulty (easy to very difficult). For each task there is a description of what needs to be done. When you start the mission, a new tab opens with the page.

Realistic 11

In this more realistic challenge, a backup of the actual community (space46) is to be created for the website taken over by a hacker. This example can be solved with a type of code injection.

By changing the URL to https://www.hackthissite.org/missions/realistic/11/page.pl?page=%7Cls%7C and the website is not secured against the injection, we get all the files in the folder:

Realistic Mission 11 Picture 1

Now we can add the URL with the listed files to view them. If we use “client_http_docs” we get to an index page.

Realistic Mission 11 Picture 2

In the “therightwayradio” folder, we are taken to another index page that allows user input. In the posted comment there is a poster whose profile data can be viewed.

Realistic Mission 11 Picture 3

The current URL refers to the user accounts with IDs. By exchanging the IDs, you can access the profile of “aclu_bomber_08290” via https://www.hackthissite.org/missions/realistic/11/client_http_docs/therightwayradio/?page=userinfo&id=0.

Realistic Mission 11 Picture 4

On this page there is an edit button and an option to change the password (e.g. to aclu_bomber_08290). Now we can log in as “aclu_bomber_08290” on this page. As a logged-in user, we have several functions at our disposal. Among other things, a “mod” that takes us to a page with a possible SQL input field.

Realistic Mission 11 Picture 5

With the SQL statements we get the user list: 

   SELECT name FROM sqlite_master WHERE type='table';
   SELECT * FROM web_hosting;

Users that are listed among others:

  • space46/notofthisworld
  • wonderdiet/suckereveryminute

Now we try to enter the user data at https://www.hackthissite.org/missions/realistic/11/admin/. With “wonderdiet” we get to the administration page.

Realistic Mission 11 Picture 6

With the menu item “download” we can display the page content. If we now change the URL called up so that we can access the user “space46” with the source file, we get the desired backup for the community. https://www.hackthissite.org/missions/realistic/11/admin/d.pl?file=/var/www/budgetserv/html/client_http_docs/space46/src.tar.gz

After entering the URL, the website is closed and the task is completed.

Alternatives

References

Note: Unfortunately, HackThisSite was no longer available at the time the article was published.

Retrieved from "https://wiki.elvis.science/index.php?title=HackThisSite&oldid=17209"