HTS Basic Missions 7-11

BASIC MISSION 7

This mission requires basic knowledge of linux shell commands and operators. The command "ls" lists the contents of a directory, while the semicolon (";") character ends one command without requiring a newline / RET. You need to end the "cal" command and run ls. Enter "; ls" without quotes into the box you are supposed to enter the date. you'll see this interesting output:

February 2012 Mon Tue Wed Thu Fri Sat Sun           1   2   3   4   5   6   7   8   9  10  11  12 13  14  15  16  17  18  19 20  21  22  23  24  25  26 27  28  29 . .. cal.pl index.php k1kh31b1n55h.php level7.php

Now head to http://www.hackthissite.org/missions/basic/7/k1kh31b1n55h.php

BASIC MISSION 8

When a name is entered, the system creates a file in /basic/8/tmp/randomjunk.shtml with some irrelevant information in it. If you Google for ".shtml" you'll see that that is an extension for Server Side Include executables. Goggling for "ssi exec" you'll find that <pre</pre> will return the output from running "command". We know that this is a Linux/Unix server from the directory style, starting with "/" instead of "C:\", so we'll use the "ls" command to list the contents of the directory. Put “<!--#exec cmd="ls" -->” as your name and then go to the created file. You should see a list of randomly named files in the name area like

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml avpfeoie.shtml fviqpmaw.shtml kqbybdzc.shtml dzrnmzgx.shtml npcsygfl.shtml whqxxojt.shtml ylomcmvu.shtml uhdppswp.shtml gzntiicx.shtml dzwbqiuu.shtml qvzuieng.shtml smcerykh.shtml qjhnmhmq.shtml znodwztr.shtml!   Your name contains 254 characters.

Using the combination of this and directory transversals (google it - "." is the current directory, ".." is one directory up) we can go from webroot/missions/basic/8/tmp/ to webroot/missions/basic/8/ without having to specify the full path. . Put “<!--#exec cmd="ls .." --> ”as your name and then go to the created file. You should see a list of randomly named files in the name area like

Hi, au12ha39vc.php index.php level8.php tmp! Your name contains 39 characters.

Voila you have made it .Now just head @ http://www.hackthissite.org/missions/basic/8/au12ha39vc.php

BASIC MISSION 9

For this mission you  must  use directory transversal instead of the full path. Go back to Basic Mission 8 of Hack This Site  ( http://www.hackthissite.org/missions/basic/8/ ) and put this into the name box: Put “<!--#exec cmd="ls ../../9/" -->” as your name and then go to the created file. You should see a list of randomly named files in the name area like

Hi, index.php p91e283zc3.php!   Your name contains 24 characters.

Voila your obscured file is p91e283zc3.php . Now just head to http://www.hackthissite.org/missions/basic/9/p91e283zc3.php

BASIC MISSION  10

This mission is about cookies. To view your cookies, you can use JavaScript injection or a couple different Firefox plugins. Using JavaScript injection: Go to Basic 10, then put the following into your address bar and hit enter: “javascript:alert(document.cookie);”

This is your cookie. JavaScript makes it very easy to edit - just use this to change level10_authorized to yes. To do that put the following into your address bar and hit enter” javascript:void(document.cookie="level10_authorized=yes"); “ .Press enter to apply it, then press submit leaving the password field blank.

BASIC MISSION 11

One thing that you may have noticed is that whenever you refresh the page you get a new song name, this may seem random but it's not and with a little bit of googling you'll notice that these songs were performed by elton john. Now that we know that, we have to find how the music collection is organized on the server, after many tries I found that the songs are organized in letter by letter directories, trying all the different possibilities is a waste of time because we already know where to look for our password, it's in http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/ but when you get there, this directory may seem empty, but actually it's not, there is a hidden file in it and it's named ".htaccess", this file allows a directory level configuration of the web server (In this case Apache).

 When you open the .htaccess file (http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/.htaccess) you'll see this interesting instruction:

IndexIgnore DaAnswer.* .htaccess <Files .htaccess> order allow,deny allow from all </Files>

Now head to http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/DaAnswer

The answer is somewhere close! Just look a little harder.

answer = somewhere close (which means 'somewhere close' is the password).So now head to http://www.hackthissite.org/missions/basic/11/index.php and give the password as “somewhere close”.Submit your anwser and the "go on" link will appear, you have completed the 11th basic mission.