hackthissite basic 1-11

//url:www.hackthissite.org

Level 1(the idiot test)

This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue. 

右键查看源代码，密码写在注释里：

<span style="font-family:Arial;">This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue. <br /><br /><span style="color:#009900;"><!-- the first few levels are extremely easy: password is 84c72242 --></span><center><b>password:</b><br /><form action="/missions/basic/1/index.php" method="post"><input type="password" name="password" /><br /><br /><input type="submit" value="submit" /></form></center>                <center><table border="0" width="80%" cellspacing="0" cellpadding="0"></span>

密码为84c72242。

Level 2
Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file...

Sam未上传密码文件，所以直接submit。

Level 3

This time Network Security Sam remembered to upload the password file, but there were deeper problems than that.

查看源代码，

<br /><center><b>Level 3</b></center><br />This time Network Security Sam remembered to upload the password file, but there were deeper problems than that.<br /><br /><center><b>Password:</b><br />                      <form action="/missions/basic/3/index.php" method="post">                      <input type="hidden" name="file" value="<span style="color:#009900;">password.php</span>" />                      <input type="password" name="password" /><br /><br />                      <input type="submit" value="submit" /></form>

打开http://www.hackthissite.org/missions/basic/3/password.php，得到密码9a1d3a50。

Level 4

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:

查看页面源代码，

<span style="font-family:Arial;"><br /><center><b>Level 4</b></center><br /><br />This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:<br /><br /><center>    <form action="/missions/basic/4/level4.php" method="post">    <input type="hidden" name="to" value="<span style="color:#009900;">sam@hackthissite.org</span>" /><input type="submit" value="Send password to Sam" /></form></center><br /><br /><center><b>Password:</b><br />    <form action="/missions/basic/4/index.php" method="post">    <input type="password" name="password" /><br /><br />    <input type="submit" value="submit" /></form></span>

保存源码到本地，把value改为你自己的邮箱，再打开此htm，点击SEND PASSWORD TO SAM，邮箱里就可收到密码。

Level 5

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

我的浏览器是Chrome，右键网页审查元素，找到sam邮件，把它改成自己的邮箱，直接点SEND，即可收到密码。

// level4&5本人未完全参透，求高手解释

Level 6

Network Security Sam has encrypted his password. The encryption system is publically available and can be accessed with this form:

Please enter a string to have it encrypted.

You have recovered his encrypted password. It is:

d7dh=9;8

Decrypt the password and enter it below to advance to the next level.

推测他的加密算法，输入数个字符串尝试，得出结论：第一位字符ASCII值+0，第二位+1，以此类推，最终得到密码。

Level 7

This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script:

Enter the year you wish to view and hit 'view'.

 

UNIX cal 命令，如输入2000则执行UNIX下cal 2015的结果。输入2015;ls则相当于执行cal和ls两个命令。view看看，发现日历和一些php文件，由题意密码在“
an obscurely named file”中，那么在地址栏中访问k1kh31b1n55h.php文件就可以get到密码了。

Level 8

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote a script to demonstrate her ability.

Enter your name:

SSI(Server Side Include)相关。输入<!--#exec cmd="ls"-->，可以view到https://www.hackthissite.org/missions/basic/8/tmp的文件，但是他的password存在上一级，那么输入<!--#exec cmd="ls .."-->，看到的au12ha39vc.php文件中有密码。

Level 9

Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it. 

和level8一样，只是要利用第八关的输入框，输入<!--#exec cmd="ls ../../9"-->就OK了。

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it. 

Enter password

Please enter a password to gain access to level 10

点击submit，提示You are not authorized to view this page，找一下hackthissite的cookie，看到level10_authorized的值为no。改成yes之后返回本关就OK了。（我是Chrome浏览器，在console里改cookie值；FF不大了解）

Level 11

点开页面发现有
I love my music!"Gulliver/Hay-Chewed/Reprise" is the best!

这样的字样，刷新页面，发现歌曲名称在变化，搜索这些歌曲，发现它们同为一名歌手“Elton John”所唱，尝试多次后发现，在url后加上e/l/t/o/n会打开新的页面，在这个 目录下.htaccess文件没有保护，此文件给出密码。打开https://www.hackthissite.org/missions/basic/11/index.php输入密码，过关。

Level 7

This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script:

Enter the year you wish to view and hit 'view'.

 

Level 9

Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it.