HackThis Challenge [Solutions | Main Level 6-10]

Main Level 6

This time, a different login screen welcomes us; informing that we need to login as Ronald to pass the level. However, there is a small issue here. There is no option as Ronald in the Username list below!

I can simply change one option to Ronald or add a new option. 

Now I can select the Ronald option and go to the next level.


Main Level 7

I started this level by looking at the source code. However, this time everything was as usual, and there were seemingly no hints within the source code to hack the username and the password.

This time, I decided to use the Show hint button to get some clue on how to proceed. The hint was quite helpful:

The password is again stored in a txt file. This time however it is not as straight forward as viewing the source.
You wouldn’t even find the page by using a search engine as search bots have been excluded.

Have you ever heard of robots.txt? There lies our answer.

Now, I navigated to https://www.hackthis.co.uk/robots.txt. This is the file we would like to see:

Let’s visit https://www.hackthis.co.uk/levels/extras/userpass.txt. We encounter the following .txt file:

48w3756
u3qh458

It seems like the first line corresponds to the username, and the second line to the password. Trying this combination, we complete the level!


Main Level 8

I started by looking at the source code of the webpage. Searching for the keyword Username gave an important result in this level, similar to Main Level 4:

<input type="hidden" name="passwordfile" value="extras/secret.txt">

Let’s follow the link https://www.hackthis.co.uk/levels/extras/secret.txt

1011 0000 0000 1011
1111 1110 1110 1101

Let’s try with an online binary converter service:

1011000000001011 = B00B (HEX)
1111111011101101 = FEED (HEX)

So the username is B00B and the password is FEED.


Main Level 9

This time, a slightly different screen welcomes us. There is a link, Request details, below our username and password form. This link seems like the way to go.
Upon clicking the link, we see a different form, asking for an email. Let’s inspect this email form:

<form method="POST">
  <fieldset>
    <label for="email1">Email:</label>
    <input type="text" name="email1" id="email1" autocomplete="off"><br>
    <input type="hidden" name="email2" id="email2" value="admin@hackthis.co.uk" autocomplete="off">
    <input type="submit" value="Submit" class="button">
  </fieldset>
</form>

Have you seen the interesting part? Let’s look at that closely:

<input type="hidden" name="email2" id="email2" value="admin@hackthis.co.uk" autocomplete="off">

We again encounter a “hidden” field, and it apparently has the email address of the administrator. What about tampering with this information as we did before? 

To solve the challenge, I changed that email address to an artificial email address qwerty0123456@cicciput.com using the Inspect pane of Google Chrome. Moreover, I entered the same email address, 
qwerty0123456@cicciput.com in the form input field . Clicking the Submit button, it’s done!


Main Level 10

This is the last Main Level of HackThis. Again, I started by viewing the source code of the webpage. Searching for the keyword Username again gave an interesting result:

<input type="hidden" name="passwordfile" value="level10pass.txt">

We again see a “hidden” HTML field. This field points to the passwordfile, so it’s our target. Let’s navigate to https://www.hackthis.co.uk/levels/extras/level10pass.txt. I was able to guess this link directly since I saw the directory extras in the preceding levels. However, it is also possible to do a Google search within the website with the name of the .txt file. 

site:hackthis.co.uk   filetype:txt   level10pass

Google can easily find the file, since it is not included in robots.txt. Reaching to the text file, we get:

69bfe1e6e44821df7f8a0927bd7e61ef208fdb25deaa4353450bc3fb904abd52:f1abe1b083d12d181ae136cfc75b8d18a8ecb43ac4e9d1a36d6a9c75b6016b61

Since I am searching for username and password, I can easily separate the code in two parts:

69bfe1e6e44821df7f8a0927bd7e61ef208fdb25deaa4353450bc3fb904abd52
f1abe1b083d12d181ae136cfc75b8d18a8ecb43ac4e9d1a36d6a9c75b6016b61

After some search, I found an online service to decrypt Sha256:

Entering our hash strings above, the decrypting website gives us the answers:

     Username:     carl
     Password:      guess

So, we are lucky that the credentials are from the common words and easy, since they are included in the online database. Moreover, we are lucky that the website doesn’t use salts for their hashes; which makes it even harder to guess.

Rispondi

Inserisci i tuoi dati qui sotto o clicca su un'icona per effettuare l'accesso:

Logo di WordPress.com

Stai commentando usando il tuo account WordPress.com. Chiudi sessione /  Modifica )

Google photo

Stai commentando usando il tuo account Google. Chiudi sessione /  Modifica )

Foto Twitter

Stai commentando usando il tuo account Twitter. Chiudi sessione /  Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione /  Modifica )

Connessione a %s...

Questo sito utilizza Akismet per ridurre lo spam. Scopri come vengono elaborati i dati derivati dai commenti.