Skip to main content

Hack This Site JavaScript Mission 6 - go go away .js

Fiftysixer decided to try his hand at javascript!All was going well until he realized that he forgot to remove the unused code, which resulted in a confusing mess.He didn't mind, in fact, he did his best to make it even MORE confusing!
As usual I Tried by giving random input and hitting check password
error message alert : Nope, try again
so I got a hint..like in other mission we can look in the source-code for "Nope, try again".
Right click the page and select view source.
ctrl+f  find tab opens ,paste "Nope, try again" hit enter.

 <script language="javascript">
RawrRawr = "moo";
function check(x)
{
"+RawrRawr+" == "hack_this_site"
if (x == ""+RawrRawr+"")
{
alert("Rawr! win!");
window.location = "about:blank";
} else {
alert("Rawr, nope, try again!");
}
}

 function checkpassw(moo)
{
RawrRawr = moo;
checkpass(RawrRawr);
}

</script>

This is where we get to know that mission hint says right ..source has unwanted script too..but which one?its easy to find.go back to our page right click on the check password button and hit inspect (in chrome).You will see the code behind it.
<button onclick="javascript:checkpass(document.getElementById('pass').value)">Check Password</button>

From this its clear,our password is sent to function checkpass().
Here comes the twist,there is no such function the the codes we got early.Only thing is that in second function,"checkpassw()" they call "checkpass()".
but, we are closer . Goto source code and ctrl+f and search for "checkpass"
then you will see


 <script type="text/javascript" src="/missions/javascript/6/checkpass.js"></script>

So,the check function is in an external js document.just visit the file by either clicking the src link or going to

 https://www.hackthissite.org/missions/javascript/6/checkpass.js

 dairycow="moo";
moo = "pwns";
rawr = "moo";

 function checkpass(pass)
{
if(pass == rawr+" "+moo)
{
alert("How did you do that??? Good job!");
window.location = "../../../missions/javascript/6/?lvl_password="+pass;
} else {
alert("Nope, try again");
}

}

 This is quite simple code to know the password from
if(pass == rawr+" "+moo)
Find out you self! Dont look password here unless you cant get it!
Password
Labels:

Comments

  1. Unknown7 December 2020 at 12:30

    dairycow="moo";
    moo = "pwns";
    rawr = "moo";

    function checkpass(pass)
    {
    if(pass == rawr+" "+moo)
    {
    alert("How did you do that??? Good job!");
    window.location = "../../../missions/javascript/6/?lvl_password="+pass;
    } else {
    alert("Nope, try again");
    }

    }

    ReplyDelete
  2. Unknown7 December 2020 at 12:31

    Password

    ReplyDelete

Post a Comment

Popular posts from this blog

Hack This Site Basic 8

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/  However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote a script to demonstrate her ability. So, we know the password is stored in some obscured password file.  Lets try the same code as we did in level 7. But the code 'ls' is not treated as command. so lets try it differently. Try with aaa;<!--ls--> it also failed but got a message: If you are trying to use server side includes to solve the challenge, you are on the right track: but I have limited the commands allowed to ones relevant towards finding the password file for security reasons(because there will always be that one person who decides to ...
2 comments
Read more

Hack This Site Basic 10

Please enter a password to gain access to level 10 Only this much is written as hint.What we should do? I have tried reading the source code and there is no hint how the password is validated.So,we have no other way than intercepting the data.Once we enter the password and hit submit the password along with some request is sent to the server by the browser.There can be very vital information in this request.What we do is intercept this request before it is sent to the server.For this we use "Burp Suit" or some extensions for tampering data.For chrome and firefox,we have tamper data addon.Iam using chrome add on:  Tamper Chrome HOW TO USE IT? *Right click somewhere and select inspect. *Now select the three arrows pointing right on top right corner. *Now select  Tamper from it(make sure you have added the extension in             chrome). *Now input some password in out mission or leave it empty and hit submit. ...
Post a Comment
Read more

HackThisSite Realistic Mission 2

Chicago American Nazi Party Racist pigs are organizing an 'anti-immigrant' rally in Chicago. Help anti-racist activists take over their website!   ================================================ From: DestroyFascism  Message : I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful.  ================================================ So a guy named  DestroyFascism  is asking for our help.Lets visit the website and check the steps we did in previous missions to find vulnerability. Right click and select view source.There is only 52 lines of code. Check the code for suspicious data.I found something! CODE ---------------------------------------------...
Post a Comment
Read more