Goodnight Byte: HackThisSite Walkthrough, Part 2 - Legal Hacker Training

Welcome to the closing of the second HackThisSite and programming Community Byte. First and foremost, I would like to ask that people start showing up on time to the Community Bytes. If you need help converting your time zone to PST, go to Time Zone Converter. When users do not show up on time, we have to go backwards and catch everybody up. This wastes time and will also make other users' experience less enjoyable when they have to watch and listen to the same thing 100 times. Punctuality aside, if there is a better suited time for you all, make sure to gripe to me in the forums so I know! I want us to be a community.

Friday's mission was to complete HackThisSite, basic mission 3. This required learning a bit of HTML, as well as some solid deductive reasoning and logic. This mission also teaches a bit about server administration and how servers work.

Basic Mission 3

Upon starting the mission, they give us this message:
   
    "This time Network Security Sam remembered to upload the password file, but there were deeper problems than that."

First thing's first, we always look at the source code to the web page. This is for obvious reasons (how can you break something efficiently if you have no idea how it works?). Once you get to the form action of the web page in the source, we come to an intersting bit of code.

<form action="/missions/basic/3/index.php" method="post">
<input type="hidden" name="file" value="password.php" />

This means that the hidden value of the password is compared to the file in password.php. So, by visiting that file in the same directory, we get to a viewable PHP file with the password as its contents.

Just enter that password to complete the mission.

Why Did This Happen?

When using HTML form actions for things like logins, a password file needs to exist to compare what the user typed with what is the actual password. When these match, it grants the user access. This web administrator messed up in so many ways, that I don't think it's possible.

To prevent this, a web admin would normally hash password files in the database, so even if they were viewable like ours, they wouldn't be the plain-text passwords. Second, this file should not be viewable at all. A web admin would need to log into their server and chmod (change mode) the file to something not viewable to the public.

This would normally be a pretty easy thing to prevent, as you can see.

Tell all of your friends to join in next week when more hacking action goes down here at Null Byte! Don't be scared to start your own topics in the forums. You can also follow me on Twitter,  or talk to the rest of Null Byters in the IRC.