Penetration Testing Report

“HackThisSite.org” Penetration Testing Challenges

Executive Summary
This project delves into penetration testing exercises conducted on HackThisSite as part of the Com
monwealth Bank Intro to Cybersecurity Program. The main objective was to identify, exploit, and d
ocument vulnerabilities across different web application levels, offering practical experience in ethi
cal hacking.
The project uncovers vulnerabilities such as weak input validation, insecure encryption, and flawed
authentication mechanisms. It leverages techniques like JavaScript tampering, SSI injection, and dir
ectory traversal. Each level sheds light on common web security issues, emphasizing the importanc
e of secure application development practices.
Objective:
• Identify web application vulnerabilities, including weak input validation and improper
authentication mechanisms.
• Learn and apply penetration testing techniques, such as command injection and directory
traversal.
• Understand and exploit encryption vulnerabilities to assess the strength of cryptographic
methods.
• Enhance knowledge of securing server-side logic, including SSI injection and Apache
configuration files.
• Document all vulnerabilities, exploits, and provide security recommendations to improve the
application’s security posture.
Methodology:
• Used tools such as Web Developer Tools and HTML, JavaScript, and server configurations.
• Exploited vulnerabilities using techniques such as cookie tampering, directory traversal, and
SSI injection to gain unauthorized access to sensitive files and data.
• Used the Additional resources are provided in the Resources for help, which will be
especially useful if you have no prior experience with Pentesting.
Key Findings:
• Input Validation: Inadequate validation of user input exposed the application to various
attacks, including command injection and email modification.
 • Encryption: Weak encryption schemes were reverse-engineered, highlighting the risks of
predictable encryption algorithms.
• Authentication: Client-side authentication mechanisms, such as cookie manipulation, were
easily bypassed without server-side validation.
• Directory Traversal: Improper directory permissions allowed unauthorized access to
sensitive files through directory traversal and SSI injection.

Scope of Web Application Tested

• Target: HackThisSite — Basic Challenges (https://www.hackthissite.org)
• Testing Period: 23-10-2024
• Tester: N KRANTHI KUMAR
• Limitations: NO restrictions all areas are covered in the test.
• Tools Used: Web Browser (Microsoft Edge), Developer Tools, Linux Command Line, and
Online Resources.

Vulnerability Description and Key Findings

For each level: Level 1-Level 11
• Level 1:Basic test of your skills to see if you can do any of these missions.
Requirements: HTML

• Description: Locate the password by viewing the HTML source code.

• Severity: High
• Evidence: Pas sword 3688cbb2
 • Exploit Details: By inspecting the page’s HTML source code using Web Developer
Tools, I found the password in a hidden input field. This exposed the password
without any need for bypassing authentication.
• Remediation: Avoid storing sensitive data, such as passwords, client-side in HTML
or JavaScript, and use server-side authentication mechanisms.
• Level 2:A slightly more difficult challenge, involving an incomplete password script.
Requirements: Common sense.

• Description: Locate a hidden password in the HTML source code and not found
and he neglected to upload the password file.
• Severity: high.
• Evidence: NO PASSWORD and Enter Submit
• Exploit Details: Missing password file allowed blank input to be accepted .
• Remediation: The password validation script relied on an external file that was
missing. Never fail to upload validation script.
• Level 3:Some intuition is needed to find the location of the hidden password file.
Requirements: Basic HTML knowledge
 • Description: Password stored in directory file (password.php) .

• Severity: high.
• Evidence: The hidden field’s value is password.php

• Exploit Details: I manually navigated to the password.php file by appending the

file name to the URL. The file contained the password in plaintext, bypassing any
form-based security measures.
• Remediation: Restrict access to sensitive files using proper directory permissions
and store sensitive data on the server-side.
• Level 4:An email script has been set up, which sends the password to the
administrator. Requirements: HTML knowledge, an email address

• Description: Password is send email address and email modification can be done.
• Severity: Medium
• Evidence:
• Exploit Details: By using the browser’s developer tools, I modified the email field in
the password recovery form. I replaced the hardcoded email address with my own,
intercepting the password reset information intended for another user.
• Remediation: Ensure that all input fields, especially those handling sensitive data
like email addresses, are validated server-side. Use secure methods for handling
password recovery processes.
• Level 5:Similar to the previous challenge, but with some extra security measures in
place. Requirements: HTML knowledge, JS or FF, an email address.

• Description: Similar to Level 4.

• Severity: Medium
• Evidence: Similar to Level 4 such as screenshots or logs.
• Exploit Details: Similar to Level 4 .
• Remediation: Similar to Level 4
• Level 6: An encryption system has been set up, which uses an unknown algorithm to
change the text given. Requirements: Persistence, some general cryptography
knowledge

• Description: Decode a password represented using ASCII codes and Insecure

encoding of sensitive data.
• Severity: Medium
• Evidence: By ASCII Table Decrypt b26h:g=; Ans: d14e6b74
d = 100 – 0 = 100 /d
 2 = 50 – 1 = 49 /1
6 = 54 – 2 = 52 /4
h = 104 – 3 = 101 /e
: = 58 – 4 = 54 /6
g = 103 – 5 = 98 /b
= = 61 – 6 = 55 /7
; = 59 – 7 = 52 /4

• Exploit Details: The encryption used a predictable character-shifting pattern. By

analyzing the input-output pairs of encrypted data, I reverse-engineered the algorithm
and decrypted the password. This level demonstrated how weak, non-standard
encryption techniques can be easily compromised by pattern recognition.
• Remediation: Use modern cryptographic standards like AES or RSA, instead of
weak custom encryption schemes.
• Level 7:The password is hidden in an unknown file, and Sam has set up a script to
display a calendar. Requirements: Basic UNIX command knowledge.
• Description: Find a hidden password using the uni and Linux cal command.
• Severity: Medium
• Evidence: (; ls) command

• Exploit Details: The calendar input field on the page was vulnerable to command
injection. By appending commands to the input (e.g., ; ls -l), I was able to execute
shell commands on the server. This provided a list of the directory contents,
revealing the password file. This type of vulnerability is particularly dangerous as it
 allows an attacker to run arbitrary commands on the server, potentially
compromising the entire system.
• Remediation: Offer detailed recommendations on how to fix or mitigate the vulnera
bility.
• Level 8:The password is yet again hidden in an unknown file. Sam's daughter has
begun learning PHP, and has a small script to demonstrate her knowledge.
Requirements: Knowledge of SSI (dynamic html executed by the server, rather than
the browser)

• Description: Exploit a server-side include (SSI) vulnerability

• Severity: Medium
• Evidence: <!--#exec cmd="ls ../" -->a command-line interface, specifically asking to
list the contents of the parent directory.

au12ha39vc.php
Password: 25b8a97a
 • Exploit Details: By injecting an SSI command into the input field, I could traverse
the file system and access files outside the intended directories. By injecting the
right commands, I navigated through the file system to locate and retrieve the
password file.
This type of attack exploits the server’s ability to process SSI commands embedded
in user input, which can lead to unauthorized access to sensitive files and directories.
• Remediation: Disable SSI in web applications and ensure input fields are properly
sanitized.
• Level 9:The password is again hidden in an unknown file. However, the script that was
previously used to find it has some limitations. Requirements: Knowledge of SSI, unix
directory structure.

• Description: Another SSI injection attack

• Severity: Medium
• Evidence: I have to back to challenge 8' page and Inject this Command
(<!--#exec cmd="ls ../../9" -->)
Go to (https://www.hackthissite.org/missions/basic/8/)

and Enter in place of 8 = 9/p91e283zc3.php Password: bc5e5913

 • Exploit Details: By manipulating the input field and specifying file paths, I was able
to bypass the application’s directory restrictions and retrieve sensitive information
stored in protected files. This demonstrated the danger of allowing unchecked input
to interact with the server’s file system.
• Remediation: Implement strong input validation, restrict access to sensitive
directories using proper permissions, and disable SSI processing to prevent
exploitation.
• Level 10:This time Sam used a more temporary and "hidden" approach to
authenticating users, but he didn't think about whether or not those users knew their
way around javascript...
• Description: Manipulate cookies to gain unauthorized access.
• Severity: Low
• Evidence: Once you change the value of the cookie to the Correct value no to yes ,
just press submit on the password form and you’re in.

• Exploit Details: By modifying the value of an authorization cookie from “no” to

“yes” using JavaScript, I was able to bypass authentication and gain access to
 restricted areas of the application. This type of vulnerability highlights the risks of
relying on client-side cookies for critical security decisions without validating them
on the server side.
• Remediation: Use server-side validation for all authentication and authorization
processes, and ensure that cookies used for security purposes are encrypted and
cannot be easily manipulated.
• Level 11: Sam decided to make a music site. Unfortunately he does not understand
Apache. This mission is a bit harder than the other basics.
• Description: Bypass .htaccess restrictions to access a protected directory.
• Severity: Low
• Evidence:
I tried to visit https://www.hackthissite.org/missions/basic/11/. Yet, what is shown is Elton's
song. If I refresh the page, it will keep generating random Elton's music.

I tried to visit several links such as https://www.hackthissite.org/missions/basic/11/a/,

https://www.hackthissite.org/missions/basic/11/b,
https://www.hackthissite.org/missions/basic/11/c/ and so on. It did not work out. Until I
visited this: https://www.hackthissite.org/missions/basic/11/e/. Then I kept clicking whatever
directories that are available.
 I included .htaccess at the link to see if something came up

I included DaAnswer/ at the link as well as shown in the image above.

It says that the answer is close. There's one more link I should have visited earlier which is
https://www.hackthissite.org/missions/basic/11/index.php
• BY ENTERING /11/index.php

• Exploit Details:This level involved navigating through directories based on clues

provided in song lyrics and file names. By systematically altering the URL, I
eventually located the .htaccess file, which contained instructions revealing a hidden
file named “DaAnswer.” Accessing this file provided the password. This
demonstrated the importance of properly securing .htaccess files and ensuring that
sensitive files and directories are not exposed through misconfigurations.
• Remediation:Secure .htaccess files and ensure that hidden directories and files are
properly protected by configuring directory permissions and access controls.

Recommendations

General Security Improvements of the web application:

• Server-Side Validation: Always enforce input validation and business logic on the server
side. Do not rely solely on client-side checks.
 • Encryption: Use strong encryption mechanisms to protect sensitive data, both at rest and in
transit. Avoid storing passwords and other sensitive information in plain text.
• Secure Coding Practices: Follow secure coding guidelines to prevent common
vulnerabilities such as SQL injection, XSS, and CSRF.
• Access Control: Implement proper authentication and authorization mechanisms to ensure
that only authorized users can access sensitive areas of the application.
• Session Management: Use secure session management practices, including the use of
secure and HTTPOnly cookies, and consider implementing multi-factor authentication
(MFA).

Resources used to pentest:

• How to View the HTML Source Code of a Web Page (computerhope.com) - Hint for Level
1, 2 & 3
• How to view source code – ViewSourcePage.com - Hint for Level 1, 2 & 3
• How to Edit Any Web Page in Chrome (or Any Browser) (howtogeek.com) - Hint for Level
4&5
• ASCII Table - ASCII Character Codes, HTML, Octal, Hex, Decimal - Hint for Level 6.
• Linux and Unix cal command tutorial with examples | George Ornbo (shapeshed.com) - Hint
for Level 7
• cal command in Linux with Examples - GeeksforGeeks - Hint for Level 7
• Linux Commands Cheat Sheet | Red Hat Developer - Hint for Level 7
• Server-Side Includes (SSI) Injection | OWASP Foundation - Hint for Level 8 & 9
• View, edit, and delete cookies - Chrome Developers - Hint for Level 10
• Apache HTTP Server Tutorial: .htaccess files - Apache HTTP Server Version 2.4 - Hint for
Level 11
And this Resources Provided By Commonwealth Bank Intro to Cybersecurity Program