Friday's Community Byte was weird. The intent was to do a HackThisSite mission, but upon time to begin, everyone in there was programming without my assistance, with the help of Sol Gates. This is great! It's really awesome that everyone enjoys programming that much and will make the effort to learn even when I am not present. So, a tip of my hat to Mr. Sol Gates and the rest of you fine people.
Aside from that, the HTS mission one and two still went forward, though most were doing programming (some did both). Our mission was to get started and complete the first basic mission, but we did the first and second instead. This required learning a bit of HTML to find out how to "hack" the password login on the pages.
When you start the first mission, you get to a page that is called "the idiot test". If you can't solve it, it doesn't mean you're an idiot, it is just a test to see whether or not you are knowledgable enough to do any of the missions on the website. So, what are we supposed to do?
Every website is made up of HTML, and if you want to spot a vulnerability in it, you need to look at the source code of the page to assess it for flaws.
- On the browser window, right-click and click the button to view the page's source code (name varies per browser).
- Scroll down to where the HTML code starts for the login form. Normally, you would check where the site's login form begins and try to find the form action URL; however, since this is a test, the password is right in the source.
<!-- the first few levels are extremely easy: password is f0312efb -->
When we start this mission, we get a dialog that says:
"Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file...".
This is just a basic test of logic. He forgot to upload the password file. So what does that mean? There is no password. If there is nothing to compare the entered password to, that means a password does not exist. This lesson teaches you that you should check for any password at all when testing for vulnerabilities, because an idiot admin may have forgotten to set one altogether (unlikely).
Make sure to join in next week when some more hacking action goes down here at Null Byte! Don't be scared to start your own topics in the forums. You can also follow me on Twitter, or talk to the rest of Null Byte in the IRC.