IMPROVE OUR ARTICLE, PLEASE

General technological topics without their own forum go here

IMPROVE OUR ARTICLE, PLEASE

Post by Hitekrednek on Sun Oct 02, 2011 4:45 pm
([msg=62007]see IMPROVE OUR ARTICLE, PLEASE[/msg])

This is an article I wrote with AtomicSyntax. We were trying to make an official guide to the basic missions that gives away as little as possible while still pointing the clueless people in the right direction. I think with a little fine tuning that this could become an official guide to the basics. Please post any constructive feedback you have here and help us get it right. Also, we had several hyperlinks in the text that didn't show up on the post, but that will link to w3schools tutorials for things like javascript and such. They'll be worked back in for the final version. Thanks.



HackThisSite Basic Missions Tutorial

INTRODUCTION

If you haven't yet heard of http://www.HackThisSite.org, I urge you to check it out, especially if you are seeking a safe and legal environment to learn about the hacking world, as well as test your skills and learn new ones in legal "test" web pages the site hosts, and also get access to several other types of challenges, such as Programming and IRC missions. This website is complete with an entire community, forums, lectures, articles, an e-zine, and much more.

This article will cover the basic missions. These are entry level challenges to test how much you know about computers in general, and put your common sense to the test. HTS has 11 Basic missions at the moment. These missions are great for helping new comers get started in the right direction, but understand that the missions won't help you learn if you just read the forums and have the answers given to you. You can complete the missions quickly, and learn the absolute basics of the basics, but it won't turn you into a hacker. The point here is to learn as much as possible to help you when you start doing some real-world penetration testing. Accomplished missions on this website are not the same as weapons in your arsenal. HTS only gives you a few specific examples of hacks that can usually be performed in many other ways and in various other situations. Don't think that completing a mission makes you proficient in that type of hacking. HTS will guide you, but you have to teach yourself.

The majority of these challenges are based in HTML interpretation, syntax comprehension, and other techniques that have to be used to gain the ultimate goal: Beating the mission and getting to the next level!

A piece of advice for when you are attempting these missions: READ the descriptions! They are full of subtle hints that are often overlooked by the impatient! Also, The basics aren’t so hard when you look at them after completing them, but can be a real pain while working through them for the first time. If you get stuck and want to bang your head on the keyboard until your face bleeds, don’t. Just get up, leave your computer, and walk outside for a few minutes. Come back when your head is clear and try to approach things in a different way. The biggest way that HTS can help you is by teaching you how to start thinking like a hacker. You have to look deeper than what you see on the surface and find things that wouldn’t be as obvious to someone who is just browsing a web-page. This is the computer world. There is more to be known about computers than you could ever know, so don’t feel discouraged when you have to go out and start learning about a new concept. Even the most advanced computer users are noobs on some subjects. Take your time, enjoy yourself, and above all, try to walk away from this experience with knowledge that will last you a lifetime.

BASIC MISSIONS

Basic 1

Basic 1 is called "The Idiot Test" for a reason. Don't feel discouraged by this. It's just our way of saying that you shouldn't need help on this mission. Use your common sense here. If you don't know HTML, then you should Google up a tutorial and learn how it works. You will be using HTML in pretty much every web-based mission on the site, so make sure you take the time to learn more than the basics. The main objective of this mission is to test your source code interpretation of the markup language HTML. Use common sense here. This is not a hard mission, but can be confusing for beginners. Take it slow and do your research, and be prepared to feel stupid if you get it after being stuck for a while.

Basic 2

In this mission, Network Security Sam has created a password protection script. The real password will load from an unencrypted text file to be compared to the password entered in. But Network Security Sam forgot to upload the text file.

According to the information given at the mission's page, you need to input the password in order to gain access to the next level. Read carefully the description and analyze what you need to do. This one is all logic. Don't over-think it. Learn to step back and look at things from a different perspective.

Basic 3

This time Network Security Sam remembered to upload the password file. But there were deeper problems than that.

This mission will test your Source Code interpretation and comprehension. If you have not learned HTML and cannot make your own basic website from scratch, I suggest you learn how to before pressing on. It is vital that you understand the syntax and can interpret the commands and know how they work. This mission also emphasizes page directories. Very basic, but you can see how these little things can make a difference in a real world setting. For this mission, you need to understand how the syntax works and how pages are linked within one another.

Basic 4

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot.

In this mission, you find out the password is within the website itself, and that you can retrieve it by clicking the “Send password to Sam” button on the page. If you get the encoded password in the script, you will see that it is quite long, and also encrypted. This won't help you. The main goal in this mission is to trick the page into sending you the unencrypted password instead of sending it to Sam.

Basic 5

Okay, kids. Homework time. If you haven’t learned a programming language yet, now is the time. Javascript is a highly used programming language, and isn’t overly complicated. It should only take you a few hours to learn it well enough to pass most of the missions that require it. Take the time to learn it. Don’t waste your time by learning to use a single command and pass the mission. On this mission, the key is to be able to do the injection yourself, instead of using Firebug in Mozilla or Javascript Console in Chrome. Even though these tools are extremely helpful, the idea is to learn what these tools actually execute behind their glossy GUI. As you learn in the description, Sam wrote a program for the password within the web page. After examining the source, you can see the function and which email the password is being sent to. The goal here is to use Javascript injection to change the value of the receiving email to your own so that you are able to obtain the password.

Hint: Take extra care in the syntax of your injection. Javascript IS case sensitive.

Basic 6

This mission is based on encryption and reverse engineering. You are given a password in its encrypted form, which is different for every user, and an input box that lets you encrypt your own string of text with the same encryption algorithm used for the password. You have to decode the password by finding out how the algorithm works and how to reverse it. Try a simple string, like your name, or a 4-5 letter word and pay attention to how it is encrypted. You'll probably need an ASCII chart for this one. Make sure you're familiar with the first 128 characters of the ASCII standard. They're used extensively in the computer world.

Basic 7

In this mission, Sam is learning slowly that there are many ways to make mistakes as a Systems Administrator. Again, he's gotten cute and left the page vulnerable. He uploaded his own script running from a UNIX machine, and forgot to take into account what you can do with UNIX commands. You need to learn how to exploit his included script in order to make the UNIX computer tell you some things it isn't supposed to. You'll need to know how *nix command lines work.

Basic 8

This mission, as in the last one is focused on using UNIX commands in order for you to exploit the website and gain access to information not available to you. Here, it also teaches you about SSI (Server Side Includes), and how it works to make the client side display the desired information. The Server tells the website what to do, then the HTML and PHP(the language HTS is coded in) tells the Browser what to do in order to display the web page you are viewing. In this mission, Stephanie, Sam's young daughter, is learning PHP scripting. She knows nothing about security, and leaves the script vulnerable to attack. Using the UNIX commands you learned in the last mission, you have to find the vulnerability of Stephanie's script to get the password file.

Basic 9

Similar to Basic 8, here the password is again in an obscuring password file hidden within the web page. We can see that Sam is still using his UNIX machine to obscure the file, but the only problem here is that there is no input field for you to enter a command in. Fortunately, the mission page gives you a hint as to where you might be able to do that. When you figure out where to input your command, you have to be very careful as to the path of the directories you would like to be displayed. You will see a similar page from Basic 8 containing the information that you are looking for, just make sure to put it in the right spot, or you won’t be able to get the password!

Basic 10

Javascript again! This one is a little tougher than the first injection in Basic 5, but still not bad. Again, you can cheat on this mission with add-ons, but the point is to learn to do it yourself. Make sure you know how the things you're doing work, not only on the page, but also in the browser; otherwise you're just a skiddie. You need to know how web pages identify you as you and how to use Javascript to make yourself seem like someone else, or at least someone with the proper privileges to get to the pages you'd like to see, which in this case are those of the next mission.

Basic 11

This is the one that has left users racking their brains for days on end, and for good reason. It isn't the most sensible mission. This one is a three part mission, and is all about finding hidden directories. The only actual 'hack' is pretty simple, and comes at the very end.

You start at a page giving you only a statement about how much the site Administrator loves music and a song name. There is not a place to submit your answer. I guess you'll have to find one. Maybe it's on a standard page like /admin.php or something along those lines. When you refresh the start page of the mission, you'll see that the song name has changed. Try to find a correlation between the songs, and see where that leads you. FINDING THE MUSIC RELATED DIRECTORIES IS THE HARDEST PART OF THIS MISSION. Think of how music is stored, directory-wise. Keep in mind that the way this person stored his music was amazingly stupid, so the obvious directories like /Dylan/Bob.php won't work. I spent days feeling like an idiot on this part.

Once you get the place to submit your answer and the hidden directories related to the music, you'll need to follow the music directories to the very end. When you get to the end of the directories, it's time to do some homework. You need to know how Apache systems handle passwords and how to exploit it. Keep in mind that Sam made another mistake here, and left vulnerability in the file that is supposed to handle the password while keeping it secret, so there is a quick and easy way to get the password, even though these files were designed to be secure.

CONCLUSION

So there you have it. Now that you’ve worked your way through the basics, you might try your hand at some of the other challenges on the site. The Javascript missions aren’t too hard, and the extended basics will teach you a lot while not being overly frustrating. The realistic missions are fake websites, similar to basic 11, that you will get to try your hand at and see what you’ve learned about web hacking. Once you start learning more languages, you should try out the programming challenges. Enjoy the site, and feel free to hop on our IRC server at irc.HackThisSite.org on port 6667 for standard connections and 7000 for SSL. There are usually some friendly people on who can help you with your problems in #help, but beware of trolls. Don’t let your guard down until you know who’s who. We hope this helps.


REFERENCES

http://www.hackthissite.org/
http://www.w3schools.com





-AtomicSyntax
-Hitekrednek
Hitekrednek
New User
New User
 
Posts: 18
Joined: Thu Jan 15, 2009 9:31 pm
Blog: View Blog (0)


Re: IMPROVE OUR ARTICLE, PLEASE

Post by mShred on Sun Oct 02, 2011 5:36 pm
([msg=62008]see Re: IMPROVE OUR ARTICLE, PLEASE[/msg])

Weird. I just opened up the article approving thingamajigger. Anywho. I'm assuming you want me to wait to approve it due to the community revision?
But honestly, at first skim I loved it. I haven't actually sat down to read it in depth to see if there were spoilers or anything like that. As I said, I only skimmed it. But one idea I have is you could put more of an intro to actual hacking/HTS into it. I was thinking about putting posting a thread in the basic mission subforum with a sticky on the article. That way we can easily redirect new users to the thread. But at the same time, if you combine it with a good introduction, it'll show them how to get started. My two cents. But yeah I really liked the idea.
¡Bien hecho Hitek y AtomicSyntax!
User avatar
mShred
Addict
Addict
 
Posts: 1899
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: IMPROVE OUR ARTICLE, PLEASE

Post by Kage on Sun Oct 02, 2011 9:32 pm
([msg=62011]see Re: IMPROVE OUR ARTICLE, PLEASE[/msg])

I rejected it in the Article administration panel pending your community review. Resubmit when you think it's good to go.
~ Kage ~

HackThisSite Manager
User avatar
Kage
Administrator
Administrator
 
Posts: 154
Joined: Sat Apr 12, 2008 11:07 pm
Location: Inside The HTS Servers
Blog: View Blog (0)


Re: IMPROVE OUR ARTICLE, PLEASE

Post by VPR3 on Mon Oct 03, 2011 7:46 pm
([msg=62029]see Re: IMPROVE OUR ARTICLE, PLEASE[/msg])

Not trying to be critical or negative but at first glance seems a little redundant to me considering the tutorials and other info that already exist. I think I have an idea or 2. But first I need coffee...
VPR3
Poster
Poster
 
Posts: 161
Joined: Fri Apr 22, 2011 11:35 am
Blog: View Blog (0)


Re: IMPROVE OUR ARTICLE, PLEASE

Post by Hitekrednek on Wed Oct 05, 2011 3:11 am
([msg=62073]see Re: IMPROVE OUR ARTICLE, PLEASE[/msg])

The tutorials and guides that are already available seem to give too much away on a lot of levels. The point of this is to make something standard that all noobs who have a want to teach themselves instead of being spoonfed can check out, rather than coming to the forums, which are full of subtle hints that often end up explaining every detail of the mission in obscure wording, essentially ruining the challenges for any who want to make an independent effort but have gotten stumped. If you use the forums much, you'll spoil it for yourself, even if you're not trying to. Same goes for a lot of the tutorials available. I wanted to make something that would hopefully give a nudge in the right direction without just telling people what to look for on too specific of a level.

Also, mShred, I've taken your advice into consideration, but I think the intro to HTS should be a separate article which links to this one in order to keep things organized. But I'll figure it out and either post as a separate article or revise the OP soon. Just trying to find the time. Thanks for the feedback.

-- Wed Oct 26, 2011 5:30 am --

mShred wrote: one idea I have is you could put more of an intro to actual hacking/HTS into it. I was thinking about putting posting a thread in the basic mission subforum with a sticky on the article. That way we can easily redirect new users to the thread. But at the same time, if you combine it with a good introduction, it'll show them how to get started. My two cents. But yeah I really liked the idea.
¡Bien hecho Hitek y AtomicSyntax!



I'm actually thinking that it would be better to make separate article of the intro to HTS and hacking. I'm going to take some time and polish up the article I wrote as an intro to programming and hacking and add an intro to HTS at the beginning and submit that alone, as it's kinda long without the HTS intro and it'd be ridiculous with this tacked on, too.
Hitekrednek
New User
New User
 
Posts: 18
Joined: Thu Jan 15, 2009 9:31 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests