Main Level 6
This time, a different login screen welcomes us; informing that we need to login as Ronald to pass the level. However, there is a small issue here. There is no option as Ronald in the Username list below!
I can simply change one option to Ronald or add a new option.
Now I can select the Ronald option and go to the next level.
Main Level 7
I started this level by looking at the source code. However, this time everything was as usual, and there were seemingly no hints within the source code to hack the username and the password.
This time, I decided to use the Show hint button to get some clue on how to proceed. The hint was quite helpful:
The password is again stored in a txt file. This time however it is not as straight forward as viewing the source.
You wouldn’t even find the page by using a search engine as search bots have been excluded.
Have you ever heard of robots.txt? There lies our answer.
Now, I navigated to https://www.hackthis.co.uk/robots.txt. This is the file we would like to see:
Let’s visit https://www.hackthis.co.uk/levels/extras/userpass.txt. We encounter the following .txt file:
It seems like the first line corresponds to the username, and the second line to the password. Trying this combination, we complete the level!
Main Level 8
I started by looking at the source code of the webpage. Searching for the keyword Username gave an important result in this level, similar to Main Level 4:
<input type="hidden" name="passwordfile" value="extras/secret.txt">
Let’s follow the link https://www.hackthis.co.uk/levels/extras/secret.txt
1011 0000 0000 1011
1111 1110 1110 1101
Let’s try with an online binary converter service:
1011000000001011 = B00B (HEX)
1111111011101101 = FEED (HEX)
So the username is B00B and the password is FEED.
Main Level 9
This time, a slightly different screen welcomes us. There is a link, Request details, below our username and password form. This link seems like the way to go.
Upon clicking the link, we see a different form, asking for an email. Let’s inspect this email form:
<form method="POST"> <fieldset> <label for="email1">Email:</label> <input type="text" name="email1" id="email1" autocomplete="off"><br> <input type="hidden" name="email2" id="email2" value="firstname.lastname@example.org" autocomplete="off"> <input type="submit" value="Submit" class="button"> </fieldset> </form>
Have you seen the interesting part? Let’s look at that closely:
<input type="hidden" name="email2" id="email2" value="email@example.com" autocomplete="off">
We again encounter a “hidden” field, and it apparently has the email address of the administrator. What about tampering with this information as we did before?
To solve the challenge, I changed that email address to an artificial email address firstname.lastname@example.org using the Inspect pane of Google Chrome. Moreover, I entered the same email address,
email@example.com in the form input field . Clicking the Submit button, it’s done!
Main Level 10
This is the last Main Level of HackThis. Again, I started by viewing the source code of the webpage. Searching for the keyword Username again gave an interesting result:
<input type="hidden" name="passwordfile" value="level10pass.txt">
We again see a “hidden” HTML field. This field points to the passwordfile, so it’s our target. Let’s navigate to https://www.hackthis.co.uk/levels/extras/level10pass.txt. I was able to guess this link directly since I saw the directory extras in the preceding levels. However, it is also possible to do a Google search within the website with the name of the .txt file.
site:hackthis.co.uk filetype:txt level10pass
Google can easily find the file, since it is not included in robots.txt. Reaching to the text file, we get:
Since I am searching for username and password, I can easily separate the code in two parts:
After some search, I found an online service to decrypt Sha256:
Entering our hash strings above, the decrypting website gives us the answers:
So, we are lucky that the credentials are from the common words and easy, since they are included in the online database. Moreover, we are lucky that the website doesn’t use salts for their hashes; which makes it even harder to guess.