Wed, Jan 06, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
We have flown through the basic challenges that were given to us, but now we are presented with the final missions. We are given the preface that Sam decided to make a music site, but he doesn’t understand Apache.
From a quick look, the mission page seems like a very simple page, which when accessing says: ‘I love my music!’ followed by a random song beign the best. Inspecting the page shows that it is a simple webpage with a secret comment about having their own collection if you can find it. This comment tells us that our goal is to find this hidden music collection. Firstly, using chrome dev tools, I will record the GET request to the mission 11 page just to see what our request to fetch the page looks like. Nothing looks out of the ordinary. At this point I am stuck…there is no clear path here other than trying to find this hidden collection. A quick google search on ‘Apache hiding files’ shows that Apache uses a .htaccess file in order to hide files. This file is placed in the directory that you wish to hide the file. Well, lets see if this file is accessible over here. Sadly, there is no such file found in this directory.
Well reloading the page over and over again doesn’t lead anywhere; although, there is one thing in common between the pages, the songs are by Elton John. This gives us somewhere to start trying. The following list shows the different URL queries that I tried:
This last one ended up redirecting me to Apache’s directory listing for the directory …/e/! Ok, so I am getting somewhere. I see that we can further keep going down a directory chain, so I will follow it. Once we have arrived at the end of the chain, the directory seems to be empty. Well, I may as well see if this directory has a .htaccess file. It does!
This file tells me that Apache’s directory listing is ignoring some files: any file with the filename DaAnswer & the .htaccess file. This makes sense, since we couldn’t see the .htaccess file in this directory on the directory listing. It also allows any user to access the .htaccess file, which also makes sense as I was able to view it through the browser. Well, let us try and access this DaAnswer file that they are trying to hide.
This took me to another plain page, that says the answer is available! just look a little harder. Does this mean that the answer is ‘available’? Inspecting the page shows nothing hidden in any comments or any local scripts. Neither is there any special cookie added with this page. Reloading this page doesn’t change it’s contents either. So perhaps we’ve found the answer: available.
Now, what would I do with this answer? I know that in the previous challenges all the passwords were inputed in an index.php page on the basic/x/ directory. So perhaps this file does exist, but it was not our landing page into this mission. Going to this page did indeed present us with a form for the correct password. So, I will try our answer that we received.
In doing so, I have been redirected to a new page - styled in the classic hackthissite fashion - with a button saying ‘Go on’. I guess i should click it?
This has taken us to the missions page. Going back to the basic missions to check whether this mission was indeed completed confirms that that was indeed DaAnswer!