HTS.org R7 challenge

passwords
login
challenge
webhacking

#1

Preface

After a break because life kept me busy the next part of this beginner series is here.
I will try to finish these articles rather quick now if they are staying on the this level, since I wanna
dive deeper into different waters but in the end I dislike unfinished projects.

As always:
I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!

note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things :slight_smile: .

Author Assigned Level: Wannabe

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters

Required Skills

Since we’re starting at the beginning not much knowledge is required at the moment.

  • knowledge about html
  • knowledge about web page structure

Disclaimer

These write ups are only my 2 cents on the challenges. So don’t take them too seriously. :wink:


HTS.org realistic challenges

Realistic challenge 7

Message:

Friend of freedom and liberty, I invite you to take a look at the hate speech being spewed over the web at http://www.hackthissite.org/missions/realistic/7/. It’s so funny that conservatives keep saying they want to protect the values of America - freedom, tolerance, and democracy - but when it comes to personal choices like private marijuana use or same-sex marriages, they damn them to burn in eternal hell and send them to jail.
This is a personal freedom issue. No one else is hurt if two consenting adults decide to marry. But people who claim to have the moral high ground decide to ruin it for everyone else and discriminate against same-sex couples. To think that they are talking about making a constitutional amendment to STOP OUR FREEDOM TO MARRY is ludicrous. This injustice must be stopped.
There is an admin section on that website somewhere, perhaps hidden among their directory structure. It would be a great fight against moral tyranny and a victory for freedom if you could somehow hack into their website. Thank you.

What can we extract from the message?

  • there is an admin section
  • there is a directory structure

The site:

Another simple web page we can navigate through. At first site we have some links and some picture. We should be familiar with this by now.

The source

Not much to see here. If you wanna take a closer look see for yourself :slight_smile:

The ‘hack’

This one is fairly easy as you will see now.

That’s basically the site…

After clicking around a bit we can inspect the URL a little further…
Okay we have a .php script running for something

When clicking on a picture we can see how the URL has changed. So we found our directory structure…

So we can try to traverse it as always…

Bingo!
Now we can use this little trick:

Who hasn’t heard about .htaccess or .htpasswd click here or here

So we can so we have a broken image on the web page now. Well of course this ain’t a picture we just addressed in the URL…
So inspection time:

So we found our login name… but our password seems to be some kind of hash…
We learned how to use good old john in one of the last challenges so let’s save this login/password combo in a file and hand it over to john.

Done! We found our login data
Now can access the /admin directory and login normally

So why does this work?

.htaccess revealed this. We dealt with .htaccess before too…

Conclusions

This little challenge was another reminder on how to check for insecure web pages…
Nothing much was done here honestly…
The next article of the series can be found here once it’s up!!

Stay tuned :wink:


(Ne0_) #2

Ah, hackthissite. Good times, good times indeed.

Thanks for the write-up. I’m sure it will help people who get stuck.