M0N73 CRIS70

  Uncle Arnold's Local Band Review  Your friend is being cheated out of hundreds of dollars. Help him make things even again! After Finishing our basic missions and JavaScript missions we gained a lot of confidence.Now it is time to test in real life scenario. This is where Realistic missions comes in handy. ================================================== It Says: From : HeavyMetalRyan  Message: Hey man, I need a big favour from you. Remember that website I showed you once before? Uncle Arnold's Band Review Page ? Well, a long time ago I made a $500 bet with a friend that my band would be at the top of the list by the end of the year. Well, as you already know, two of my band members have died in a horrendous car accident... but this ass hole still insists that the bet is on! I know you're good with computers and stuff, so I was wondering, is there any way for you to hack this website and make my band on the top of the list? My band is Raging Inferno

There is No hint Given to us!All we have is the name  JS Obfuscation. FTW! What this means ? Obfuscation-  the action of making something obscure, unclear, or unintelligible. So clearly,it has some thing to deal with the JavaScript code.Lets find out. As usual, I typed in something in the input box and hit "check password" Got an alert "WRONG! Try again!" Now , as usual we have to go for this in the source code. Right click and select view page source (for chrome).In that search for  "WRONG! Try again!" Wow! no code found! what will we do?don't worry! go back to our page and right click on check password and select inspect.Got the code below: <button onclick="javascript:if (document.getElementById(&quot;pass&quot;).value==&quot;j00w1n&quot;){alert(&quot;You WIN!&quot;);window.location += &quot;?lvl_password=&quot;+document.getElementById(&quot;pass&quot;).value}else {alert(&am

Fiftysixer decided to try his hand at javascript!All was going well until he realized that he forgot to remove the unused code, which resulted in a confusing mess.He didn't mind, in fact, he did his best to make it even MORE confusing! As usual I Tried by giving random input and hitting check password error message alert : Nope, try again so I got a hint..like in other mission we can look in the source-code for "Nope, try again". Right click the page and select view source. ctrl+f  find tab opens ,paste "Nope, try again" hit enter. <script language="javascript"> RawrRawr = "moo"; function check(x) { "+RawrRawr+" == "hack_this_site" if (x == ""+RawrRawr+"") { alert("Rawr! win!"); window.location = "about:blank"; } else { alert("Rawr, nope, try again!"); } } function checkpassw(moo) { RawrRawr = moo; checkpass(RawrRawr); } </script>

Uhm, faith spelled runescape wrong? Just like other missions we have a password field.I tried to type random letters and hit enter and I got the error message "Nope... try again!"  What should we do?Just like every other mission, view source and find the javascript behind this.When i looked inspect at the submit button, i got the name of javascript function, check.In the source code, find check finding it with  ctrl+f . <script language="Javascript"> moo = unescape('%69%6C%6F%76%65%6D%6F%6F');       function check (x) {         if (x == moo)         {           alert("Ahh.. so that's what she means");           window.location = "../../../missions/javascript/5/?lvl_password="+x;         }         else {           alert("Nope... try again!");         } } </script> So its clear that out password is checked with value in the variable moo. What is the value of moo?we can find it in two way

Faith is trying to trick you... she knows that you're tired after all the math works...   So, we are facing another java-script challenge.whatever the challenge, we should check all our previous knowledge here.Type in something and hit  Check Password .It alerts "Rawr, nope, try again!". Lets view the source code.Right click and select view source.Now right click on the check password button and inspect,we saw the following code, <button onclick="javascript:check(document.getElementById('pass').value)">Check Password</button> Now we know that whatever we type is send to check function.Go to the  source code we already viewed a nd search for check. GOT THIS SCRIPT: <script language="Javascript"> RawrRawr = "moo"; function check(x) {         "+RawrRawr+" == &quo

They are giving us a code of java script and we need to find the password from this code!its pretty simple code: ===== var foo = 5 + 6 * 7 var bar = foo % 8 var moo = bar * 2 var rar = moo / 3 function check(x) {         if (x.length == moo)         {                         alert("win!");                         window.location += "?lvl_password="+x;         } else {                         alert("fail D:"); } } ======== from statement   function check(x) , we know that our input is taken into the variable(storage space) 'x'.That means,      >>  if (x.length == moo)  <<  This condition checks if our input password length is equal to the value of moo.If condition is correct, we will win! what is the value of moo? Don't go with calculations and all,if you like it that way its okay ,if not , goto to some online java-script running websites like this   Online Javascript Editor  . Now copy paste the co

When we look at the hint, its nothing useful there!at least we don't find anything at a single glance.So, lets do our regular steps,view source and read scripts after clicking, Take this challenge! I found nothing! wait a moment!! usually when we try to run online games or graphical application ,most of time our browser asks us to enable java-script or enable flash! do you realize?if that is the case we are wasting our time by thinking hardly about the possible solution while all you have to do is to disable your javascript in browser in chrome click that button 'Secure' and from drop down look for java-script and disable it..Then reload the webpage(Make sure url is this :https://www.hackthissite.org/missions/javascript/2/    or just goto this link) and yes! we have completed this level.. So what this level teach is that you don't have to always think too much in hacking mind ...make time to think even as a basic user.We should think in every ways possi

Idiot Test faith is learning Javascript, the only thing that is protecting her from hackers is luck.  REQUIREMENT ============= Before we go into the javascript mission , you should know the basics of javascript..atleast you should be able to understand the code written in JavaScript! YOU CAN LEARN BASICS OF JAVASCRIPT FROM:  w3schools   or  SoloLearn ON OUR MISSION =========== This mission has a password field in it and a submit button "check password". But,as always we do not have the password.As usual we type in something and click the button to check its response. It says "Fail D:" now, even i tried with empty password and it still says same message. But, there is something different here than in basic levels,the message is shown in alert box, which means java-script is clearing in action behind this.Lets view its source code.Right click and select view page source.Now, here you have two option for finding the script in use, first is press "

Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics. As you may have noticed! when we visit this level all we are given with is some line about song.This line changes on each refresh.From this we assume that this is not the real page we need to visit.But how we find our requirement? There is a tool in Kali Linux called 'Dirb'. But for now Iam using an online service for this >> URL FUZZER << . First we give the url and search for files with .php extension. select start scan.Wait for scan to finish. So,we have found a file.Now visit it as: https://www.hackthissite.org/missions/basic/11/index.php There is our login page.still we are stuck!we don't have the password or any hint in the source code of this page. Lets run another scan on the URL Fuzzer ,this time for directories  Same way start scan and wait for it to finish. There are two possible directories

Please enter a password to gain access to level 10 Only this much is written as hint.What we should do? I have tried reading the source code and there is no hint how the password is validated.So,we have no other way than intercepting the data.Once we enter the password and hit submit the password along with some request is sent to the server by the browser.There can be very vital information in this request.What we do is intercept this request before it is sent to the server.For this we use "Burp Suit" or some extensions for tampering data.For chrome and firefox,we have tamper data addon.Iam using chrome add on:  Tamper Chrome HOW TO USE IT? *Right click somewhere and select inspect. *Now select the three arrows pointing right on top right corner. *Now select  Tamper from it(make sure you have added the extension in             chrome). *Now input some password in out mission or leave it empty and hit submit. *You will see a new tab with the request det

Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it.  Its clearly stated that we cannot see the directory listing in level 8 because the password we enter is filtered.But its also stated that  " in my attempt to limit people to using server side includes to display the directory listing

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/  However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote a script to demonstrate her ability. So, we know the password is stored in some obscured password file.  Lets try the same code as we did in level 7. But the code 'ls' is not treated as command. so lets try it differently. Try with aaa;<!--ls--> it also failed but got a message: If you are trying to use server side includes to solve the challenge, you are on the right track: but I have limited the commands allowed to ones relevant towards finding the password file for security reasons(because there will always be that one person who decides to

This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script: In the hint, its clearly stated that the script is running on unix command line. I tried inputting 2017.Its showing calender of 2017. Then i tried ' 2017;ls ' ls is a command in unix for listing directory fortunately below the calender , we can see the directory listing. from that we can easily find our password file name add it to the url to view password https://www.hackthissite.org/missions/basic/7/passwordfilename.php SPOILERS Password FileName Password

Network Security Sam has encrypted his password. The encryption system is publically available and can be accessed with this form: There we have been given with the same encryptor used by Sam .There is no other choice in my mind than guessing the password with the help of this encryptor. We have Sam's encrypted password already :3ff8;j<9 >Now we need to find by giving which value we get the output as 3. >when i given 'a' my output was 'a',which means no change. >So,I tried giving '3' and as expected, answer was 3. >So i pushed my luck and tried '3f',the first two letters,in encryptor ,Output was '3g'    this was clearly giving us hint.first letter has no change,second letter change by one alphabet or           letter ,clearly from 'abcdefg' >with this in mind iam giving input for encryption as '3ed',Huraaah!, it was successful and given output as '3ff'. >now its easy to break down ...

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script: This mission is just the same as basic4, though sam added some features, the steps we did in basic 4 is enough to get the password sent to our email.   Password HERE

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him auto And below this,There is a button for sending password to Sam's email.What we should do? right click on the button ,if you are in google chrome ,select > inspect . Now on right side you could see the script of that button. In this script you could see, <input type="hidden" name="to" value="sam@hackthissite.org"> Got any idea? yea , all you have to do is change the email to whatever  email you registered in Hackthis site ! Now check your mail,there must be the password you needed! Keep going!

"This time Network Security Sam remembered to upload the password file, but there were deeper problems than that."  I tried the steps we did in first two missions..Though in simple looking it was just a failure but when I looked thoroughly in our form,which asks for password,I saw a hidden file. You cud also see. SPOILER HERE Now ,we know the password file name. All we have to do is see it.just paste the file name after your url of the mission: https://www.hackthissite.org/missions/basic/3/>>file name<< Click enter and you have got your password! Password is : Password

"Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file..." In fact this is simpler that the previous one.They says Sam used a script which loads a script and checks the password we give with the password he has stored in a plain text.Most importantly he forgets to upload the password file.Which means there is no password for comparing,so what ever password we type in will let us pass the level.Just click on submit and yes you are done!

Lets start our journey with hack this site.Visit the website and make an account.Login with your account. Now we are going to look at basic 1. Select Basic missions from left tab and choose basic 1 "This level is what we call "The Idiot Test", if you can't complete it, don't give up on learning all you can, but, don't go begging to someone else for the answer, thats one way to get you hated/made fun of. Enter the password and you can continue. " This is the easiest level.It teaches you this, you should first look into the source code for some clue or vulnerability. Yes! Just right click on the page and select view-source.Now you can see the source code.Read along the lines until you find the line containing password:   SPOILER HERE Yes you have hacked the first level!

There are a lots of tutorials out there in internet.Most of them you guys will ignore as I did earlier..don't ignore any tutorial or tool. There are websites where we are given with challenges for hacking like in DVWA-Damn Vulnerable Web Application. Some of them are, Hack This Site |   HackThisSite.org Hack This Site is more than just a website; it’s a platform for education and a community for security enthusiasts. Hack This Site is a great stopping point for security professionals and developers alike, as it offers varying levels and topics to delve into as you practice hacking. HackThis!! |   hackthis.co.uk Deemed ‘the Hacker’s Playground,’ HackThis!! offers various levels and areas of study when practicing your hacking skills. Similar to Hack This Site, HackThis!! is also a good place to go for security-related news, presentations and to connect with like-minded folk in their forum. HellBound Hackers  |   hellboundhackers.org Its also a s

I ts truly useful and needful to learn how hacking works in order to prevent these attacks.An ethical hacker need to know everything in hacking just as a black hat hacker in order to outrun them and find the exploits before the black hats finds it and cause too much damage. This is just like our military is trained in arms to prevent the terrorists from attacking us! This is why we say learning to hack is not unethical but using it for any bad purpose is unethical and that is the real crime.This is the reason why we still get every kind of tutorials and help related to hacking .So its not a crime to learn hacking unless your intentions are unethical. There is term difference for ethical hacker and black hats ,white hat hackers or ethical hackers are really called hackers while black hats are called crackers.Now a days people find it hard to differentiate and hence are using the term hacker for all. 

W ell the question is quiet simple,but i choose to explain it basically so that every one can understand it. Before that i must say,don't be interested to hacking by seeing images of hacker like the one above,if you think you wanna be portrayed as above,all you need to learn is Photoshop :) Most of us,in Our childhood must have had toys.When we have one we try to know how it functions,by somehow opening it and once we know its working, we try to alter it to our own wish even though most of us fail! A hacker has same mind set where he try to break through the security measures applied by the application or website makers.When we hear the name hacker first thing that comes to our mind is he will hack our facebook,twitter,computer and everything.Even though a very elite hacker may know to bypass the security of all these ,mostly they may not . What i mean is may be a hacker know to bypass security of webpages but not to crack games but still he is a hacker. In simple words,Hac

WITH BURP SUIT AND SQLMAP  This tutorial is for educational purpose only and please dont use it for any unethical purpose and this blog or its author wont be responsible for the after effects you face if you do something unethical For this example Iam testing on DVWA(Damn Vulnerable Web Application),Blind SQL injection Blind SQL Injection ++++++++++++++++++++ -tamper data with burp suit(if you dont know ,there are lot of tutorials) and find cookie security=low; PHPSESSID=q5ceoc6r4kr3t3kpfppma5l4e1 -run sqlmap -copy our weppage url(DVWA) http://localhost/dvwa-master/vulnerabilities/sqli_blind/?id=1 -in sql map type following command sqlmap -u 'http://localhost/dvwa-master/vulnerabilities/sqli_blind/?id=1' --cookie="security=low; PHPSESSID=q5ceoc6r4kr3t3kpfppma5l4e1" --dbs -in my case i must use sqlmap.py since i use windows for this test  sqlmap.py -u 'http://localhost/dvwa-master/vulnerabilities/sqli_blind/?id=1' --c