Security Corner

Sep 20 2009   5:45PM GMT

Hacking Skills Challenge – Level 4

Ken Harthun Ken Harthun Profile: Ken Harthun

So far, we’ve explored the first 3 basic missions at HackThisSite.org. As we get to each new level, the difficulty increases, but they’re still pretty easy. Today, we solve level four:

An email script has been set up, which sends the password to the administrator. Requirements: HTML knowledge, an email address.

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot.

So, what we have to do is hack the page to get the password sent to an email address of our own choosing. The script is invoked by clicking the “Send Password to Sam” button. Once again, we can view the source to see what clues are there. Paths to two scripts stand out:

"/missions/basic/4/level4.php"
"/missions/basic/4/index.php"

Those are both relative paths. We can’t make them absolute and save the source, but we can save the page to the desktop, edit it, then open the local file. This should give us some action. Make sure to change the email address to one you own.

When the page is opened, we see the challenge screen. Click on the “Send Password to Sam” button and voila! A page appears to reveal the password 50c3072c. The script doesn’t actually email the password, so don’t bother checking the email address you entered.

Mission accomplished!

According to some, level 5 is a bit tougher, but I’m sure we have the talent.

What do you think? How could this hack be thwarted? Leave a comment!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: