HackThisSite - Peace Poetry: HACKED
Description
Hello l33ts, I hope you are doing well. We will be doing Peace Poetry: HACKED from HackThisSite, the 3rd challenge of the realistic missions.
Solution
The challenge has the following message.
Let’s navigate to that page.
We can see what the hacker has posted on the page, Let’s check the source code.
At the bottom of the source code, we can see a comment from the hacker stating that the old website is still up, and he copied the old index.html file to oldindex.html. Let’s add that file to the url ‘https://www.hackthissite.org/missions/realistic/3/oldindex.html’
Great! This is the original page.
We can also see two sections, the first one is Read The Poetry where we can read different poems, and the other one is Submit Poetry, and it’s the one the hacker used to change the page.
The way this form works is we specify a name for the poem and the poem itself. When we click add poem button, the program creates a file and name it with the poem name we choose earlier and writes the poem to the file, it’s looks something like this:
1
echo "The poem" > NameOfPoem
So if we choose a poem name and there is a file with the same name, we could delete the content of that file and replace it with what we put in the Poem.
What the attacker did is choose the name of the poem as ../index.html and put the content he wanted to display as a poem. With that the program has replaced the content of index.html which is one directory up (../):
1
echo "hacker" > ../index.html
To solve the challenge, we need to specify the name of the poem as ../index.html and put the source code of oldindex.html file as a poem so that we can restore the old page.
Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).