Main:
All Javascript challenges. May find spoilers. UPDATED as of February 16, 2010!
HTML stands for Hypertext Markup Language. It's used to make web pages. Javascript is a scripting language. It is added to web pages to make them more dynamic and interactive. That being said, if you don't know any HTML, go to http://www.w3schools.com and don't come back until you learn HTML.
If you're still reading, javascript is the next step. If you don't know any, again, go to http://www.w3schools.com and learn javascript. Really, the challenges are a breeze if you learn both of these languages. They're not difficult and can be used for many purposes.
If you're STILL reading, you know both HTML and javascript. Let's begin.
###Javascript 1###
Open up the source. If it says you can't view the source, get creative and try to find other ways to view it. When you get tired trying, see below.
You can do a few things to see the source:
1. View --> Source.
2. Find the keyboard shortcut for viewing source (e.g. In Firefox it's Ctrl+U)
3. Go back to the main challenges page, right click on the link for this challenge and save the page, go to where you saved it, and open it up in notepad.
Next, to find the code we need. Try first by yourself. If you can't find it, look below.
You can do Ctrl+F and then type in "Level 1". This should take you to close to where the code is (look under it).
Now, once you see the code, examine it. Still bummed? Look below.
The first part of the code is for detecting right clicks. This you don't need. Look under that and you should see something checking user input. If you can see what it wants, you can give it what it wants. Can't say much more than that.
###Javascript 2###
This challenge makes it harder to view the source by redirecting you. However, it's not a fast redirection. Try to view the source. If you can't, see below.
Any of the methods for viewing source described under Javascript 1 work (some need to be used quickly). You can also press Escape and then right click-->View Source.
So now you have the source and the part that deals with the challenge. But you see no actual javascript code, just a script tag. What to do? Well, to make it easier on developers, javascript can have include files. If many pages use one script, it's easier to update that script if you have it in one place and page then if you have it in many places or pages. So includes link to the file with the source code. Go to it and you should have no problems.
###Javascript 3###
Pop open the source, go to code for this level. Let's begin.
Now's as good a time as any to learn about javascript injections. So what are they? Javascript injections are really simple, actually. It's just code that is run through your address bar. Just like you can go to http://www.google.com, you can use javascript:alert(1)
So let's break it down. First, you have javascript, which tells the browser you're executing javascript. Then a colon, which precedes the commands. Then you have your commands. alert is one of the most useful commands, it makes a small popup box that says what we want it to say. Try it out on your won browser. Small challenge: Make a javascript injection which will make a popup with your name. When done, look below.
For me, the code is javascript:alert('Michael')
For further reading on javascript injections, see http://www.hackthissite.org/articles/read/405. (btw, if you have multiple commands, they must be separated by semicolons, such as alert('hi');alert('bye'))
Now that we got javascript injections down, we can use some in this challenge. But before we do that, we need to look at the source. We see some weird stuff in the script tags. Look it up, and if you can't find anything, come back here and look below. Hint: look up escape and unescape as the apply to javascript.
Mkay. Escape is a javascript function which encodes characters that are not letters or numbers. For example, This is escaped! becomes This%20is%20escaped%21 . To get a feel for the function, try a javascript injection which alerts an escaped sentence. If bummed, look below.
javascript:alert(escape('This sentence will be escaped'))
The above injection should give us an escaped string. Ok, so we know how to make the text more difficult to read with escape. I wonder what can reverse the escape function. That's right! Unescape! Try unescape out for your self. Try unescaping this string (if you can't, keep reading):
%21%7E%u263CI%20like%20the%20wave%u263C%7E%21
Here is what you would need:
javascript:alert(unescape('%21%7E%u263CI%20like%20the%20wave%u263C%7E%21'))
which would translate to !~☼I like the wave☼~!
So now, back to the source. You see the variable which is escaped. Time to make it unescaped. If you can't manage, see small hint below.
To use a variable in a function, use function(variable) without quotes. For a further hint, see below.
You can use 2 functions like this:
function(function(variable))
I can't give any more away. Once you have the decrypted source, look at it and you should find what you're looking for.
A note on javascript injections: Learn them, love them, use them. Extremely useful. Especially so when the server checks the referrer (what webpage you arrive from). If this is the case, you can't save the page on your computer and send your own info form there. That's when we use javascript injections.
###Javascript 4###
First, press the button. Look at the URL of the page it takes you to. Theoretically, for this challenge, the page should output the value of the submit GET variable, but it doesn't. Let's assume that whatever you have in the submit value is outputted. Our goal is to see the cookie. How do we see cookies in javascript? Look up cookies in javascript, and you'll find the variable that stores them. After you have truly looked, but not found, look below.
This variable holds the cookie:
document.cookie
So now, what you would like to do is to view it. What function is one of the most useful for viewing variables, that's right, alert. So you would think first to use the javascript injection I described in the part about javascript 3. Go ahead try it. When you get the results and mull over them, look underneath.
Ok, so maybe I led you to a stray point, but this introduces a concept that you must try everything to your knowledge, sometimes being successful, sometimes not, before you find a vulnerability. When you saw your cookie, you saw nothing interesting. Correct. That's the wrong place. and again, this is because of the flaw in the challenge that it doesn't perfectly mimic a real-world situation.
But anyway, to continue. If a javscript injection didn't work, we need to slip our javascript elsewhere to make it execute. I mentioned how the submit variable in your URL should be shown on the webpage. Well, what can we put on the web page to execute a script. In other words, when you put javascript on a page, what script (hint) would you use. If stumped, see below.
You would use the script tag. So now we know that we need to use the script tag. What else could we use. Maybe a part of the javascript injection we tried earlier? The part about showing the cookie? Yeah, that one.
If you are REALLY stumped and you've tried at least 3 different approaches and still can't get it, read below article.
http://www.securiteam.com/securitynews/5CP052A8AU.html
###Javascript 5###
This is essentially javascript 2 with a touch of javascript injection.
The part that's similar to javascript 2 is the included javascript source file. The description on how to get past that is in the part about javascript 2.
The part that requires javascript injection is a little more complicated to explain. Once you see the javascript source, you would figure that it's pretty self-explanatory and that all the script does is take the year, do a computation with it, and check whether the result of this computation is what you give as the password (btw, the prompt function is similar to alert, but instead it asks you a question and lets you answer it, sorta like a normal input box in a form). Anyway, re-read the previous sentence, because you probably got side-tracked by the description of prompt. So, you'd think that's what the script does, and that the year will be the current year either in 4-digit format (as in 2009) or 2-digit format (as in 09).Well, if you use that as the year, you find out you're wrong. So maybe the variable has a different value? How do we check the value? I suggest going back to the javascript 5 challenge page and try to get alerted (hint) of the year. Once you have the year, you're set. Do the computation and you're done.
###Javascript 6###
A very simple challenge. Merely look at the source and it tells you what you need. It tries to confuse you by giving 2 different values to the Location variable, but remember that if I do
a=10;
a=89;
that a will in the end just be 89, or its last assigned value. So yeah, all you need is there.
###Javascript 7###
This challenge is similar to javascript 2. By that I mean that it does a redirect. Of course, you can beat it by any of the methods described in javascript 2. So now that you have the source, you try to understand the code. Try out a few things that come to mind. If you are stumped, see below.
Being stumped is a very natural consequence of looking at the code. You can't see the definition of a variable the source uses. Well, to find it, either look very well and everywhere (hint) or save the source and open it with Notepad with word wrap enabled.
Once you see the variable, how do we find out the value? The familiar function we've used in previous challenges is an obvious answer. However, careful. If you edit the source of the file you saved and make it alert the value.. well, try it. You see the value and you think great! But refresh that page. You see the value changes.
Now let's think this through maybe your page will change, but can hbh's page change? That would mean they have an indefinitely number of completion pages. So it's constant. All you have to do now is come up with a javascript injection to use on the hbh page. To do that, you will need redefine the variables in your injection. And then alert the last one.
For example:
if variables used are a,b,c, and d, which are defined in the source, you would need to give values to a,b,c and d in your injection again. As in:
source:
a=4;
b=5;
c=2;
d=8;
your injection:
javascript:a=4;b=5;c=2;d=8;
Also, after the variable deceleration in injection you will also need to alert the right variable. Once you have your injection cooked up, you will need to use it on the challenge 7 page (you somehow have to stop the page). If you don't know how to stop it, see below.
The csE button (read that backward). So after that you just inject and enjoy points :)
###Javascript 8###
This challenge is quite messed up. You'll see why. Pop open the code and check out the javascript. You see the cookie is an encrypted string. I can't tell you what type of encryption it is, but use the link below and try a few:
http://www.yellowpipe.com/yis/tools/encrypter/index.php
Note: not all decryption websites will work for this challenge.
When you get the decrypted secret, it will begin with a box and a weird Y. I know, it's weird, but now you have to put that thing that you got back somewhere. Hey, what box is staring right at us on the challenge page?
After you do that, you are taken to another page that looks exactly like this one, but in the source you have a new secret. What to do with that secret? Well, if you already passed the unescape mission, you can unescape it. But you see an odd resemblance. What if we then just take this encoded new secret and do the same thing we did to the old unencrypted secret?
###Javascript 9###
Great. A timer. That's a long while to wait. Pop open the source, check out what variable handles the seconds. What value does it have to be for you to get the pass? Well, use a javascript injection to make it that value. Hint: if you do javascript:variable=number; you will be redirected. Use void() when just defining variables, like so:
javascript:void(variable=number);
###Javascript 10###
In the source you see a function which checks if your input matches a constant variable. Well, the problem with just using an injection to output the value of asdf is that the variable is a local variable. Any variable declared in a function is local to the function. Using javascript:alert(asdf) will not work. Well, we can either save the code on our pc then change the code to remove the function and add an alert, OR, we can use a long javascript injection of the type described in javascript 7. We need to re-declare all variables we would need to get asdf and we would finally need to alert it. Do either of those and you're good.
###Javascript 11###
A quick explanation why this challenge is easier than javascript 10. In javascript 10, the variable we want, asdf, is in a function. That means we can't use a simple javascript:alert(variable) to get it. In this one, it's not in a function. AHEM. Now use some logic...
###Javascript 12###
Sigh, same thing as challenge 10. Since abc, the variable we want, is in a function, either save it and edit it, or use a super long injection.
###Javascript 13###
By now we've seen enough attempts to stop us from hacking the javascript that a mere written warning does nothing to intimidate us.
Let me tell you this: usually authorization happens with cookies.
In javascript 4 I mentioned what variable holds cookie info. Well, use a javascript injection to change that to whatever value you want. Then refresh. Good job. For further reading I highly recommend:
http://www.hackthissite.org/articles/read/405
###Javascript 14###
It's pretty obvious what the challenge does just by looking at the code. I don't know of any easy ways to change the screen width, so we'll just have to settle on looking at what would happen if we DID have the right screen width. Oh, THAT's where we would have gone! Well, let's take a direct flight to there.
###Javascript 15###
This challenge is by no means difficult, just quite tedious. Pop open the source. Check out the functions they use. Let's learn about charAt() . Assume the following script:
string='hate pork';
alert(string.charAt(1));
We would get a popup saying a. This is because it considers 0 the first letter, so using charAt(0) would give you h.
Now, the script is basically saying if you hook a bunch of variables together and they match the riddle, you may pass. These variables are each derived by taking a distinct character from your input. The problem is, the variables are all out of whack (order), so you need to put them in order. I suggest making a table like this on paper:
|0|1|2|
_______
|s|y|s|
where the number is the value of charAt and the letters are the right letters when you take them out of the "query test mess". For a large hint, look below.
You look at the order in which variables, a, b, c, etc, are taken, then you check the charAt and find it in the query test mess.
###Javascript 16###
I've got to say, I have not solved this challenge myself, but I know in theory what it takes to solve it.
What the challenge does is takes your input, does some semi-complex calculations to it, and check it against a static number. If the answer of the calculations matches, you win. Well, since there are a few variables in the equation, we can;t reverse the equations. We are left with creating a bruteforcer that tries strings, uses the same formula, and checks it against the number. It would start with a, go to b, c, and after a while aa, ab, ac, then aaa, etc. And please, make your script client side. Don't connect to HBH for each try.
###############
I'd be delighted to help with any additional questions, just PM me. If you think I can improve this article, please PM me. Cheers!
If you're still reading, javascript is the next step. If you don't know any, again, go to http://www.w3schools.com and learn javascript. Really, the challenges are a breeze if you learn both of these languages. They're not difficult and can be used for many purposes.
If you're STILL reading, you know both HTML and javascript. Let's begin.
###Javascript 1###
Open up the source. If it says you can't view the source, get creative and try to find other ways to view it. When you get tired trying, see below.
You can do a few things to see the source:
1. View --> Source.
2. Find the keyboard shortcut for viewing source (e.g. In Firefox it's Ctrl+U)
3. Go back to the main challenges page, right click on the link for this challenge and save the page, go to where you saved it, and open it up in notepad.
Next, to find the code we need. Try first by yourself. If you can't find it, look below.
You can do Ctrl+F and then type in "Level 1". This should take you to close to where the code is (look under it).
Now, once you see the code, examine it. Still bummed? Look below.
The first part of the code is for detecting right clicks. This you don't need. Look under that and you should see something checking user input. If you can see what it wants, you can give it what it wants. Can't say much more than that.
###Javascript 2###
This challenge makes it harder to view the source by redirecting you. However, it's not a fast redirection. Try to view the source. If you can't, see below.
Any of the methods for viewing source described under Javascript 1 work (some need to be used quickly). You can also press Escape and then right click-->View Source.
So now you have the source and the part that deals with the challenge. But you see no actual javascript code, just a script tag. What to do? Well, to make it easier on developers, javascript can have include files. If many pages use one script, it's easier to update that script if you have it in one place and page then if you have it in many places or pages. So includes link to the file with the source code. Go to it and you should have no problems.
###Javascript 3###
Pop open the source, go to code for this level. Let's begin.
Now's as good a time as any to learn about javascript injections. So what are they? Javascript injections are really simple, actually. It's just code that is run through your address bar. Just like you can go to http://www.google.com, you can use javascript:alert(1)
So let's break it down. First, you have javascript, which tells the browser you're executing javascript. Then a colon, which precedes the commands. Then you have your commands. alert is one of the most useful commands, it makes a small popup box that says what we want it to say. Try it out on your won browser. Small challenge: Make a javascript injection which will make a popup with your name. When done, look below.
For me, the code is javascript:alert('Michael')
For further reading on javascript injections, see http://www.hackthissite.org/articles/read/405. (btw, if you have multiple commands, they must be separated by semicolons, such as alert('hi');alert('bye'))
Now that we got javascript injections down, we can use some in this challenge. But before we do that, we need to look at the source. We see some weird stuff in the script tags. Look it up, and if you can't find anything, come back here and look below. Hint: look up escape and unescape as the apply to javascript.
Mkay. Escape is a javascript function which encodes characters that are not letters or numbers. For example, This is escaped! becomes This%20is%20escaped%21 . To get a feel for the function, try a javascript injection which alerts an escaped sentence. If bummed, look below.
javascript:alert(escape('This sentence will be escaped'))
The above injection should give us an escaped string. Ok, so we know how to make the text more difficult to read with escape. I wonder what can reverse the escape function. That's right! Unescape! Try unescape out for your self. Try unescaping this string (if you can't, keep reading):
%21%7E%u263CI%20like%20the%20wave%u263C%7E%21
Here is what you would need:
javascript:alert(unescape('%21%7E%u263CI%20like%20the%20wave%u263C%7E%21'))
which would translate to !~☼I like the wave☼~!
So now, back to the source. You see the variable which is escaped. Time to make it unescaped. If you can't manage, see small hint below.
To use a variable in a function, use function(variable) without quotes. For a further hint, see below.
You can use 2 functions like this:
function(function(variable))
I can't give any more away. Once you have the decrypted source, look at it and you should find what you're looking for.
A note on javascript injections: Learn them, love them, use them. Extremely useful. Especially so when the server checks the referrer (what webpage you arrive from). If this is the case, you can't save the page on your computer and send your own info form there. That's when we use javascript injections.
###Javascript 4###
First, press the button. Look at the URL of the page it takes you to. Theoretically, for this challenge, the page should output the value of the submit GET variable, but it doesn't. Let's assume that whatever you have in the submit value is outputted. Our goal is to see the cookie. How do we see cookies in javascript? Look up cookies in javascript, and you'll find the variable that stores them. After you have truly looked, but not found, look below.
This variable holds the cookie:
document.cookie
So now, what you would like to do is to view it. What function is one of the most useful for viewing variables, that's right, alert. So you would think first to use the javascript injection I described in the part about javascript 3. Go ahead try it. When you get the results and mull over them, look underneath.
Ok, so maybe I led you to a stray point, but this introduces a concept that you must try everything to your knowledge, sometimes being successful, sometimes not, before you find a vulnerability. When you saw your cookie, you saw nothing interesting. Correct. That's the wrong place. and again, this is because of the flaw in the challenge that it doesn't perfectly mimic a real-world situation.
But anyway, to continue. If a javscript injection didn't work, we need to slip our javascript elsewhere to make it execute. I mentioned how the submit variable in your URL should be shown on the webpage. Well, what can we put on the web page to execute a script. In other words, when you put javascript on a page, what script (hint) would you use. If stumped, see below.
You would use the script tag. So now we know that we need to use the script tag. What else could we use. Maybe a part of the javascript injection we tried earlier? The part about showing the cookie? Yeah, that one.
If you are REALLY stumped and you've tried at least 3 different approaches and still can't get it, read below article.
http://www.securiteam.com/securitynews/5CP052A8AU.html
###Javascript 5###
This is essentially javascript 2 with a touch of javascript injection.
The part that's similar to javascript 2 is the included javascript source file. The description on how to get past that is in the part about javascript 2.
The part that requires javascript injection is a little more complicated to explain. Once you see the javascript source, you would figure that it's pretty self-explanatory and that all the script does is take the year, do a computation with it, and check whether the result of this computation is what you give as the password (btw, the prompt function is similar to alert, but instead it asks you a question and lets you answer it, sorta like a normal input box in a form). Anyway, re-read the previous sentence, because you probably got side-tracked by the description of prompt. So, you'd think that's what the script does, and that the year will be the current year either in 4-digit format (as in 2009) or 2-digit format (as in 09).Well, if you use that as the year, you find out you're wrong. So maybe the variable has a different value? How do we check the value? I suggest going back to the javascript 5 challenge page and try to get alerted (hint) of the year. Once you have the year, you're set. Do the computation and you're done.
###Javascript 6###
A very simple challenge. Merely look at the source and it tells you what you need. It tries to confuse you by giving 2 different values to the Location variable, but remember that if I do
a=10;
a=89;
that a will in the end just be 89, or its last assigned value. So yeah, all you need is there.
###Javascript 7###
This challenge is similar to javascript 2. By that I mean that it does a redirect. Of course, you can beat it by any of the methods described in javascript 2. So now that you have the source, you try to understand the code. Try out a few things that come to mind. If you are stumped, see below.
Being stumped is a very natural consequence of looking at the code. You can't see the definition of a variable the source uses. Well, to find it, either look very well and everywhere (hint) or save the source and open it with Notepad with word wrap enabled.
Once you see the variable, how do we find out the value? The familiar function we've used in previous challenges is an obvious answer. However, careful. If you edit the source of the file you saved and make it alert the value.. well, try it. You see the value and you think great! But refresh that page. You see the value changes.
Now let's think this through maybe your page will change, but can hbh's page change? That would mean they have an indefinitely number of completion pages. So it's constant. All you have to do now is come up with a javascript injection to use on the hbh page. To do that, you will need redefine the variables in your injection. And then alert the last one.
For example:
if variables used are a,b,c, and d, which are defined in the source, you would need to give values to a,b,c and d in your injection again. As in:
source:
a=4;
b=5;
c=2;
d=8;
your injection:
javascript:a=4;b=5;c=2;d=8;
Also, after the variable deceleration in injection you will also need to alert the right variable. Once you have your injection cooked up, you will need to use it on the challenge 7 page (you somehow have to stop the page). If you don't know how to stop it, see below.
The csE button (read that backward). So after that you just inject and enjoy points :)
###Javascript 8###
This challenge is quite messed up. You'll see why. Pop open the code and check out the javascript. You see the cookie is an encrypted string. I can't tell you what type of encryption it is, but use the link below and try a few:
http://www.yellowpipe.com/yis/tools/encrypter/index.php
Note: not all decryption websites will work for this challenge.
When you get the decrypted secret, it will begin with a box and a weird Y. I know, it's weird, but now you have to put that thing that you got back somewhere. Hey, what box is staring right at us on the challenge page?
After you do that, you are taken to another page that looks exactly like this one, but in the source you have a new secret. What to do with that secret? Well, if you already passed the unescape mission, you can unescape it. But you see an odd resemblance. What if we then just take this encoded new secret and do the same thing we did to the old unencrypted secret?
###Javascript 9###
Great. A timer. That's a long while to wait. Pop open the source, check out what variable handles the seconds. What value does it have to be for you to get the pass? Well, use a javascript injection to make it that value. Hint: if you do javascript:variable=number; you will be redirected. Use void() when just defining variables, like so:
javascript:void(variable=number);
###Javascript 10###
In the source you see a function which checks if your input matches a constant variable. Well, the problem with just using an injection to output the value of asdf is that the variable is a local variable. Any variable declared in a function is local to the function. Using javascript:alert(asdf) will not work. Well, we can either save the code on our pc then change the code to remove the function and add an alert, OR, we can use a long javascript injection of the type described in javascript 7. We need to re-declare all variables we would need to get asdf and we would finally need to alert it. Do either of those and you're good.
###Javascript 11###
A quick explanation why this challenge is easier than javascript 10. In javascript 10, the variable we want, asdf, is in a function. That means we can't use a simple javascript:alert(variable) to get it. In this one, it's not in a function. AHEM. Now use some logic...
###Javascript 12###
Sigh, same thing as challenge 10. Since abc, the variable we want, is in a function, either save it and edit it, or use a super long injection.
###Javascript 13###
By now we've seen enough attempts to stop us from hacking the javascript that a mere written warning does nothing to intimidate us.
Let me tell you this: usually authorization happens with cookies.
In javascript 4 I mentioned what variable holds cookie info. Well, use a javascript injection to change that to whatever value you want. Then refresh. Good job. For further reading I highly recommend:
http://www.hackthissite.org/articles/read/405
###Javascript 14###
It's pretty obvious what the challenge does just by looking at the code. I don't know of any easy ways to change the screen width, so we'll just have to settle on looking at what would happen if we DID have the right screen width. Oh, THAT's where we would have gone! Well, let's take a direct flight to there.
###Javascript 15###
This challenge is by no means difficult, just quite tedious. Pop open the source. Check out the functions they use. Let's learn about charAt() . Assume the following script:
string='hate pork';
alert(string.charAt(1));
We would get a popup saying a. This is because it considers 0 the first letter, so using charAt(0) would give you h.
Now, the script is basically saying if you hook a bunch of variables together and they match the riddle, you may pass. These variables are each derived by taking a distinct character from your input. The problem is, the variables are all out of whack (order), so you need to put them in order. I suggest making a table like this on paper:
|0|1|2|
_______
|s|y|s|
where the number is the value of charAt and the letters are the right letters when you take them out of the "query test mess". For a large hint, look below.
You look at the order in which variables, a, b, c, etc, are taken, then you check the charAt and find it in the query test mess.
###Javascript 16###
I've got to say, I have not solved this challenge myself, but I know in theory what it takes to solve it.
What the challenge does is takes your input, does some semi-complex calculations to it, and check it against a static number. If the answer of the calculations matches, you win. Well, since there are a few variables in the equation, we can;t reverse the equations. We are left with creating a bruteforcer that tries strings, uses the same formula, and checks it against the number. It would start with a, go to b, c, and after a while aa, ab, ac, then aaa, etc. And please, make your script client side. Don't connect to HBH for each try.
###############
I'd be delighted to help with any additional questions, just PM me. If you think I can improve this article, please PM me. Cheers!
Posted by 
