HackThis Main
- attempts 1
翻网页源代码可以在注释里看到用户名和密码 - attempts 2
翻代码可以看到其实他就是用color: #000000把用户名密码藏起来了,左键反选就可以看见1
2<span style="color: #000000">resu</span>和
<span style="color: #000000">ssap</span> - attempts 3这段js代码就是说如果用户名是heaven并且密码是hell的就过了……
1
<script type='text/javascript'> $(function(){ $('.level-form').submit(function(e){ if(document.getElementById('user').value == 'heaven' && document.getElementById('pass').value == 'hell') { } else { e.preventDefault(); alert('Incorrect login') } })})</script>
- attempts 4
日常翻代码于是访问https://www.hackthis.co.uk/levels/extras/ssap.xml1
<input type="hidden" name="passwordfile" value="../../extras/ssap.xml">
- attempts 5
一打开弹出一个框要我们输密码,先不管他然后日常看代码1
2
3
4
5
6
7<script language="JavaScript" type="text/javascript">
var pass;
pass=prompt("Password","");
if (pass=="9286jas") {
window.location.href="/levels/main/5?pass=9286jas";
}
</script> - attempts 6
用burpsuite或者firefox自带工具改post参数
- attempts 4
- attempts 7
hint说The password is again stored in a txt file. This time however it is not as straight forward as viewing the source.
You wouldn’t even find the page by using a search engine as search bots have been excluded.
由
search engine as search bots have been excluded.
我们可以想到找robots.txt;
于是google site:www.hackthis.co.uk robots.txt
成功找到
attempts 8
这题的提示几乎直接把解法告诉我们了…
在代码里找到/extras/secret.txt,然后把二进制转成十六进制,再换成大写attempts 9
这题略坑…
点开Request details可以看到要求我们输入一个邮箱,然后看代码或者用burpsuite啥的都可以看到有一个隐藏的表单email2,它的值被设为admin@hackthis.co.uk,如果email1和email2的值有一个不是admin@hackthis.co.uk就会说Incorrect email address (然而其实不是这样…),两个都是admin@hackthis.co.uk则显示Email sent, but to the wrong address 。一开始我的猜测是email2是发送者的邮箱,因此要想办法把email1设成我们自己的邮箱,于是测试了各种绕过…最后发现其实email1和email2相同就可以了…attempts 10
看hint就可以猜到是破md5之类的,在html代码中可以找到1
<input type="hidden" name="passwordfile" value="level10pass.txt">
于是尝试去找level10pass.txt,试了一下没有找到,于是google hacker
site:www.hackthis.co.uk inurl:level10pass.txt
找到level10pass.txt,里面给了一大串东西,可以看出是两个密码,扔到https://www.cmd5.com/可以知道是两个sha256密码,解出来就ok