M0N73 CRIS70

Uhm, faith spelled runescape wrong? Just like other missions we have a password field.I tried to type random letters and hit enter and I got the error message "Nope... try again!"  What should we do?Just like every other mission, view source and find the javascript behind this.When i looked inspect at the submit button, i got the name of javascript function, check.In the source code, find check finding it with  ctrl+f . <script language="Javascript"> moo = unescape('%69%6C%6F%76%65%6D%6F%6F');       function check (x) {         if (x == moo)         {           alert("Ahh.. so that's what she means");           window.location = "../../../missions/javascript/5/?lvl_password="+x;         }         else {           alert("Nope... try again!");         } } </script> So its clear that out password is checked with value in the variable moo. What is the value of moo?we can find it in two way

Faith is trying to trick you... she knows that you're tired after all the math works...   So, we are facing another java-script challenge.whatever the challenge, we should check all our previous knowledge here.Type in something and hit  Check Password .It alerts "Rawr, nope, try again!". Lets view the source code.Right click and select view source.Now right click on the check password button and inspect,we saw the following code, <button onclick="javascript:check(document.getElementById('pass').value)">Check Password</button> Now we know that whatever we type is send to check function.Go to the  source code we already viewed a nd search for check. GOT THIS SCRIPT: <script language="Javascript"> RawrRawr = "moo"; function check(x) {         "+RawrRawr+" == &quo

They are giving us a code of java script and we need to find the password from this code!its pretty simple code: ===== var foo = 5 + 6 * 7 var bar = foo % 8 var moo = bar * 2 var rar = moo / 3 function check(x) {         if (x.length == moo)         {                         alert("win!");                         window.location += "?lvl_password="+x;         } else {                         alert("fail D:"); } } ======== from statement   function check(x) , we know that our input is taken into the variable(storage space) 'x'.That means,      >>  if (x.length == moo)  <<  This condition checks if our input password length is equal to the value of moo.If condition is correct, we will win! what is the value of moo? Don't go with calculations and all,if you like it that way its okay ,if not , goto to some online java-script running websites like this   Online Javascript Editor  . Now copy paste the co

When we look at the hint, its nothing useful there!at least we don't find anything at a single glance.So, lets do our regular steps,view source and read scripts after clicking, Take this challenge! I found nothing! wait a moment!! usually when we try to run online games or graphical application ,most of time our browser asks us to enable java-script or enable flash! do you realize?if that is the case we are wasting our time by thinking hardly about the possible solution while all you have to do is to disable your javascript in browser in chrome click that button 'Secure' and from drop down look for java-script and disable it..Then reload the webpage(Make sure url is this :https://www.hackthissite.org/missions/javascript/2/    or just goto this link) and yes! we have completed this level.. So what this level teach is that you don't have to always think too much in hacking mind ...make time to think even as a basic user.We should think in every ways possi

Idiot Test faith is learning Javascript, the only thing that is protecting her from hackers is luck.  REQUIREMENT ============= Before we go into the javascript mission , you should know the basics of javascript..atleast you should be able to understand the code written in JavaScript! YOU CAN LEARN BASICS OF JAVASCRIPT FROM:  w3schools   or  SoloLearn ON OUR MISSION =========== This mission has a password field in it and a submit button "check password". But,as always we do not have the password.As usual we type in something and click the button to check its response. It says "Fail D:" now, even i tried with empty password and it still says same message. But, there is something different here than in basic levels,the message is shown in alert box, which means java-script is clearing in action behind this.Lets view its source code.Right click and select view page source.Now, here you have two option for finding the script in use, first is press "

Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics. As you may have noticed! when we visit this level all we are given with is some line about song.This line changes on each refresh.From this we assume that this is not the real page we need to visit.But how we find our requirement? There is a tool in Kali Linux called 'Dirb'. But for now Iam using an online service for this >> URL FUZZER << . First we give the url and search for files with .php extension. select start scan.Wait for scan to finish. So,we have found a file.Now visit it as: https://www.hackthissite.org/missions/basic/11/index.php There is our login page.still we are stuck!we don't have the password or any hint in the source code of this page. Lets run another scan on the URL Fuzzer ,this time for directories  Same way start scan and wait for it to finish. There are two possible directories

Please enter a password to gain access to level 10 Only this much is written as hint.What we should do? I have tried reading the source code and there is no hint how the password is validated.So,we have no other way than intercepting the data.Once we enter the password and hit submit the password along with some request is sent to the server by the browser.There can be very vital information in this request.What we do is intercept this request before it is sent to the server.For this we use "Burp Suit" or some extensions for tampering data.For chrome and firefox,we have tamper data addon.Iam using chrome add on:  Tamper Chrome HOW TO USE IT? *Right click somewhere and select inspect. *Now select the three arrows pointing right on top right corner. *Now select  Tamper from it(make sure you have added the extension in             chrome). *Now input some password in out mission or leave it empty and hit submit. *You will see a new tab with the request det

Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it.  Its clearly stated that we cannot see the directory listing in level 8 because the password we enter is filtered.But its also stated that  " in my attempt to limit people to using server side includes to display the directory listing