Goodnight Byte: HackThisSite Walkthrough, Part 4 - Legal Hacker Training
These missions are for everyone here, and you can join at any time. Your experience level doesn't matter. HackThisSite is a free, legal and safe practice ground for aspiring hackers wanting to test their knowledge on something real. We have full permission to exploit their servers, and we even get point rewards for it. This week's mission on HackThisSite was to recover the admin password by manipulating an I forgot my password form action, however, this time there was an added brick wall.
When we start the mission, it reads:
"Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure."
Right-click the page and view the page source. Scroll down until we find the form action that we can use to retrieve the password. It looks like this:
After, click the form submission button for "I forgot my password" and you will be sent a password to your email. Simply enter it in the field to complete the mission.
A small PHP script that hid the email and sent the password would be far more secure, because it would be processed on the server end, as well as hidden from user sight.
Next week, I might be planning on setting up a virtual machine, or a remote host for the members to hack live. We will walk through getting root access and covering our tracks on a controlled server. Any thoughts? Let me know in the forums. Follow Null Byte on Twitter and G+ for the latest tutorial updates. Feel free to drop other members a few lines in the IRC. Happy hacking everyone!