Posted by: Ken Harthun
Hacking, Hacking Skills Challenge, secure coding
It’s again time to delve into our Hacking Skills Challenge. Our last challenge was level 10 at HackThisSite.org and that was three months ago. They say these are supposed to get increasingly difficult as we climb the ladder, but the last one was fairly easy, albeit that it required a Firefox plugin to accomplish the hack. Level 11 is considerably more difficult and requires a bit of thinking out of the box. Here’s the challenge:
Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics.
One of the biggest problems people who don’t understand Apache run into is that they end up allowing their directories to be listed. We need to keep that in mind. You’ll see why in a minute.
When you click on the challenge, you’re taken to a page that has a sentence similar to: I love my music! “I Need You to Turn To” is the best! Not much of a clue there, it seems, and where’s the password prompt? And what page are we looking at? Viewing the source produced this:
I love my music! "Someone Saved My Life Tonight" is the best! <!--We even have our own collection - if you could find it!-->
Nothing listed for the actual page being viewed which made me think that it’s straight html. So, I tried ../index.php and voila! Got a password prompt. Progress, but a few tries at guessing the password were futile. On a whim, I went back to the original URL, http://www.hackthissite.org/missions/basic/11/, and found that the song name had changed. This time I got:
I love my music! "Honky Cat" is the best! <!--We even have our own collection - if you could find it!-->
So, I refreshed the page a few times and kept getting different songs. Like the two above, however, they all had one thing in common: The were songs performed by Elton John. I tried “elton” as the password, but no go, so it’s time to see if we can find .htaccess to see if we can get some answers.
http://www.hackthissite.org/missions/.htaccess – no go
http://www.hackthissite.org/missions/basic/.htaccess – no go
http://www.hackthissite.org/missions/basic/11/.htaccess – no go
http://www.hackthissite.org/missions/basic/11/elton/.htaccess – no go
Convinced that “elton” is the key, I tried an old trick that I’ve seen before and put this in: http://www.hackthissite.org/missions/basic/11/e. I got a listing with the letters b, c, d, e, f, g, and l as other directories. Hmm. . . could it be? I tried http://www.hackthissite.org/missions/basic/11/e/l and the last letter listed was “t.” Pretty obvious now: http://www.hackthissite.org/missions/basic/11/e/l/t/o/n. Nothing listed there, but that has to be where .htaccess is located. Sure enough:
IndexIgnore DaAnswer.* .htaccess <Files .htaccess> order allow,deny allow from all </Files>
Think “DaAnswer.*” might be it? Yep. http://www.hackthissite.org/missions/basic/11/e/l/t/o/n/DaAnswer gives:
The answer is simple! Just look a little harder.
The answer is: simple. That’s the password.