Hackthissite Basic (1)

This level is what HTS calls "The Idiot Test", if you can't complete it, don't give up on learning all you can, what you don't want to do is go begging to someone else for the answer, thats one way to get people to tell you to get lost! But here at idletester.com we are here to help you so have fun learning!

Hackthissite Basic (2)

This is a very simple level. Don't go looking for a user browser called "Secure browser" or a "secure_user_agent" I've changed my actual user agent in the browser settings. Depending on the browser you are using will depend where your User Agent is stored. (check out User Agent in Google) you will find out all you need to know there.

Hackthissite Basic (3)

Here we go again. This time Network Security Sam remembered to upload the password file, (well done Sam) but there's a bit deeper a problem than that. OK! As always, check the source code. So have a look at the source.

Hackthissite Basic (4)

In the fourth basic web mission, Network Security Sam apparently hasn’t learnt anything from his prior mistake. In the third basic web mission, we extracted information from hidden form fields and thereby found out the name of a password file. The procedure is essentially the same in this mission.

Hackthissite Basic (5)

This is the fifth basic web mission, and Network Security Sam apparently “secured” his email script. After a quick look at the source code, we see that the code visible to us is exactly the same as in the last mission.

Hackthissite Basic (6)

By looking at the source code, we can only see the two forms. Nothing interesting. The next step is to try out the password encryption form. Type anything, and you can see that it does work. It shows you the encrypted string. Logically, the task is simply to construct a string that is encrypted to the code you were given.

Hackthissite Basic (7)

HTS Basic Web 7: cal call unrelated? Level 7 is a very easy level, if you are a Linux user. We don’t even have to check the source. The HackThisSite.org crew is kind enough to tell us where the password is: in an obscurely named file, saved in the current working directory. Now, we only need to come up with a way to get a directory listing. This is when a very useful and frequently used UNIX command should come to mind — ls. From the ls man page:

Hackthissite Basic (8)

HTS Basic Web 8: Evil SSI Network Security Sam never seems to learn from his mistakes. In mission 8 of the basic web missions, Sam has done the exact same mistake as in mission 7: he practices security through obscurity. This is never a good idea. This time, he saved an unencrypted password file somewhere in /var/www/hackthissite.org/html/missions/basic/8/. Last time, we used Sam’s insecure cal script. This time, his daughter Stephanie has put up a handy script for us.

Hackthissite Basic (9)

HTS Basic Web 9: Directory Transversal Basic Web mission 9 is so easy, it is barely worth a post of its own. The only thing that might be difficult is realizing that you should find a vulnerability in the eigth mission — however, that problem exists only if you attempt to solve mission 9 without looking or without reading the instructions.

Hackthissite Basic (10)

Network Security Sam has decided to hardcode the password into the script. He also started to use cookies to detect if the user is authorized to advance to the next level. When you enter the correct password, it sets you to authorized, and if you enter an incorrect password, it sets you to unauthorize

Hackthissite Basic (11)

HTS Basic (11) Sam decided to make a music site. Unfortunately he does not understand Apache. This mission is a bit harder than the other basics. Common Apache Misconfigurations

1.Name Based Virtual Host
2.Not matching the value of NameVirtualHost with a corresponding block.
3.Not setting a ServerName in a virtual host.
4.Mixing non-port and port name based virtual hosts.
5.Using the same Listen and/or NameVirtualHost multiple times.
Multiple SSL name based virtual hosts on the same interface.


1.Adding/Restricting access and options in
2.Changing the DocumentRoot value without updating the old DocumentRoot's block
3.Trying to set directory and index options in a script aliased directory.