[HTS] hackthissite basic missions 1 - 11 [tutorial]

Researching, Proof of Concepts, Hacking, Console Modding and Hacking and more. No game hacking / modding here.
Post Reply
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

[HTS] hackthissite basic missions 1 - 11 [tutorial]

Post by Sethioz »

NOTES:
- pay attention to the data listed here > october 23 2009. it means if one of them does not work, then it is because they have changed it !
- get firefox before even trying them. I only use and deal with firefox, if you are too dumb to use firefox, then you have nothing to do here or there.
- i could make it way easier, but this tutorial is meant for the ppl who want to learn, not for ppl who just want to showoff that they have more missions done.

1.
click "view" and then "page source"
password is somewhere there, use 'ctrl+f' to open search and type in "password" to make the searching easier. it should be located somewhere near the password.

2.
simplest mission ever, password is blank, because there is no password file.

3.
here you need to monitor your traffic to get the password, there's several ways, but im using my favorite tool > CommView
open commview, then set firefox.exe as filter (to capture only firefox packets). if you do not know how to use commview, then i have excellent tutorial. > CommView - how to use - capturing and resending the packets
ok now you know how to capture with commview. put random password, i will use "aliens" as password in my example.
then you click submit (or send or whatever it is). now in commview search for "aliens". you will find one packet that contains this.
now right click the packet and choose "reconstruct TCP session"
in there you will find a page /password.php. include that in URL and it will take you to the password.php page, there you will find password.

4.
- first of, this was meant to be done with some other bullcrap method, but i jumped forward and made it .. well faster and easier and with more advanced method.
you need firebug addon for this.
open firebug and click on 'inspect', now click on submit button (not the password, but the email part)
this will show you the location of the button in code and near that you will see the original mail where it suppouse to go.
replace that email with any other email address (does not have to be valid, it just has to look like email > [email protected])
in real situation you would have to put your own email there ofcourse. now simply click submit and it shows you the password on next page (in real situtation it would send email to your address).

5.
repeat step 4.
reason why its same is simple, in last step it was possible to copy the whole page to your pc, then edit the code and run it from your computer, but in step 5 the script checks the referrer. it means if the request is not sent from hackthissite then it doesn't work.
in theory it should be possible to use "refcontrol" addon for firefox and make it think that request came from hackthissite (never tried this)

6.
well you could just enter random passwords until you figure out pattern, but it would take you ages.
google for ASCii table (or use linked one if it still works).
to decrypt the password, you need to see how it encrypts it (not really encryption).
lets say your encrypted password contains 9 digits and is 123456789. then your password would be 111111111.
huh ?
in ascii table, you move 1 row up in each case where 1 is 0 rows.
1 = you find "1" in ascii table, since it is first digit, you move 0 rows up, so it stays 1.
2 = find "2" in ascii table and move 1 row up, it will be 1.
3 = find "3" and move 2 rows up (because it is 3rd digit). again you end up on 1.
9 = find "9" in ascii table and move 8 rows up, you end up on 1 again.
this is easiest example.

7.
as it says, you need to know UNIX commands. cmd will do too, but commands are not same (basics are, but not commands itself).
cmd = command prompt, konsole, console, command line interpreter.
since the script accepts commands, you will use the command to list all directorys and files.

Code: Select all

;ls
with this command you will find several pages there. just go through them one by one to find the one that holds the password.

8.
again we need to use some UNIX commands, but this time it is not that simple. we need to go out of /tmp directory with the following command

Code: Select all

ls ..
ofcourse this is a script which will make it look like name. so this alone won't do. we need to execute it like this:

Code: Select all

<!--#exec cmd="ls .."-->
now you will notice that it will give you the list of directorys and files instead of a name.
find the right file to find the password inside.

9.
here you need to go back into level 8, because only there you can execute commands. again basics of cmd/unix comes in handy !
we need to go out of /8 and into /9 and list files there.
this time we execute the following command:

Code: Select all

<!--#exec cmd="ls ../../9"-->
you find directorys and files listed, find the one holding the password.

10.
here you need to analyze the traffic (packets). best 2 addons for this are:
firebug
firecookie (only works when firebug is installed)
add & edit cookies (will do, but i use firecookie in my example).

open firebug and go to cookies tab. send random password and see which cookie appears.
analyze the cookie and find "level10_authorized" value for this field is "no".
yes you guessed it right, you simply edit that cookie and change it to "yes"
now refresh the page and you are done with it.

- alternatively you can make a filter with paros proxy or webscarab or something like this to replace "no" with "yes". it should work too.

11.
now this one is not even hacking, but like a puzzle. so i make it as simple as possible.
view html source to see what you need to do (find the song stuff blabla)
keep refreshing the site and find out that all those 'clues' refer to Elton John
so now what ? lets assume there is folder named elton, eltonjohn ..or something like this.
their site uses the dir method (or whatever its called).
so simply type /e as directory and it will list the next directorys ( /11/e)
follow the letters to make it /11/e/l/t/o/n)
this part is very messy, because ".htaccess" file is never accessable (at least not nowdays it aint).
so now we can go to

Code: Select all

/11/e/l/t/o/n/.htaccess
next 'clue' is "DaAnswer" so obviously it is directory. we go to this directory > /11/e/l/t/o/n/DaAnswer
this part is different each time, but it says something like "Answer is close!" or "answer is here!"
whatever it says there, is the password. from those two examples passwords would be "close" and "here"
now where we use this ?
/11/index.php < on this page. go there, insert the password and you are done.

- if it does not work, then your cookie expired or whatever.
- clean your cookies, go directly to the daanswer page, check what it says and then go directly to index.php and put it in.
User avatar
KEN
Special
Special
Posts: 751
Joined: Thu Jan 28, 2010 8:11 am

Re: [HTS] hackthissite basic missions 1 - 11 [tutorial]

Post by KEN »

in 4th and 5th mission,i just used tamper data to change email id but the thing happened was that it just showed me the pass on screen instead of sending it to inbox.How come this happened?
Post Reply