Donate to us via Paypal!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Saturday, August 15, 2020
 Need Help?
Members Online
Total Online: 168
Guests Online: 167
Members Online: 1

Registered Members: 127570
Newest Member: DanielJuddy
Latest Articles

Basic Web Hacking *ALL*

Arrow Image A good place to start. Simple instructions for every challenge. *VERY MINOR spoilers*

NOTE: While doing HBH challenges, I have come to realize that Firefox is the best browser to use. You can get it at

This is what is sometimes referred to as "the idiot test". If you have no idea what to do, you should look up what 'source code' is on google. If you do know what source code is...

It's asking for the source of the IFRAME.
is a good place to check out what IFRAMEs are and how they work. Then find the source and paste it into the textbox and submit.

This challenge is very easy to do if you have Firefox. You should search for 'firefox', 'user' and 'agent' in google (without quotes). Follow the instructions on changing user agents to pass this level.

Read the error. If the password file isn't in the directory 'basic4', then it might be a good idea to check other directories...
NOTE: the password is case sensitive.

Read the source code. Note:
* the format of an email address
* the format to enter the password
* ONE wildcard is sufficient for ""
In my opinion this challenge wasn't a very good one.

A VERY tricky challenge, because you have to get the syntax exactly the same as the solution. First, you should familiarize yourself with the commands CHMOD and RM (in LOWERCASE). Next, find the directory where the 'logs.txt' file is kept. This should be pretty obvious... where would you keep logs? Lastly, the way to write 'all+execute' is 'a+x' (without quotes).

Now you have to CHMOD the 'logs.txt' file to 'all+execute', RM the 'logs.txt' file and RM the other log file that you will find. Don't forget the dollar sign, and you MUST put a space after the dollar sign before you put the command.

For this challenge, you need to know about how to do simple javascript injections to find your cookies and how to change them. Once you've located the username you need, submit it in the form. Oooops! You're not authenticated! How do you get authenticated? Remember the intro talking about ASCII encryption? What it means is that it checks the username you enter against a cookie which contains the (binary) encrypted form of the username. I recommend
Once you've converted the username into binary, change the username cookie into binary form (without spaces). Refresh the page.

Now you have to get past a SECOND form. But, remember how the intro said this form was vulnerable to SQL injection? Look this up (there are some good articles on HBH) and type in the injection. More points!

It's always good to try some random text as a password. Who knows, you might randomly guess the correct password! But you should always check the source, even for the most unlikely pages such as the one that tells you you've got a wrong password...

See the commented tag? It shows how you can input a GET variable into the PHP script. Google this if you don't understand what I'm talking about. Now, you want to find what the database contains, so instead of just trying to find rows WHERE password='xxx', use a more general statement...

You should have a good understading of how the Posion NULL Byte attack works. Google this to see what it is, but I'll try to explain what it does. Basically, it tricks the script into thinking it's the end of a command. In this case, try looking for where the login script is and append a NULL byte on the end. This takes you to the next stage where you can read the PHP script to find what username and password you'll need.

You'll need to be able to change your IP, and I think you'll have to use a proxy. My IP was already in one of the allowed ranges so I didn't have to do much for this challenge. If you're lucky, you won't have to either. Just click the link to test whether you need to change your IP or not.

Go back and see what you did for Basic 3. This time, howver, you'll also need to change the OS specified in the user agent string as well. Wikipedia has a good article on user agents plus lots of examples as well.

For this challenge, you might need to disable any worm detection programs such as Norton Antivirus, as attempts to view .htaccess files may be detected as worm attacks (even though they are not). On the main page, look at the address. Try inputting different directories into the variable 'page' and see what you can find. It may pay off to search how Linux checks passwords. Also, bear in mind that "/protected/xxx" is different from "protected/xxx". After finding the password hash, you'll need to break the encryption using a brute-force cracker. I recommend 'John The Ripper' with the 'Cain and Abel' wordlist.

It's as simple as it says. Log in as George! But you can't change the script using javascript injection this time because the <option> tags don't have a name. How else can you change the contents of a file? (ctrl+s may be helpful =D)

One of the simplest challenges. Remember what you did in Basic 1?


You can try the injection you used at Basic 7. Whooops! It doesn't work! Look up other forms of SQL injection and try those...

Well, there's my first article finished. Please rate fairly, and tell me any corrections I should make.


mozzeron June 07 2006 - 17:12:57
Not bad, mabye a few too many spoilers but in the main, good
-The_Flash-on June 07 2006 - 18:15:32
Well written. Except it's allready been written. Not many challenges need articles anymore. Still, good work
Elitest_00on June 07 2006 - 19:02:32
Good job...
6340on June 08 2006 - 01:34:11
lol yeah good article... @flash: all the challenges i need help with don't have articles:/ lol...anywho, yeah good article...
godon June 08 2006 - 14:04:05
ermmm nice article but basic 15 is kinda really really spoiled... no ?
phoenix121on June 10 2006 - 21:03:54
ok, thanks for the tips. i'll bear them in mind. please vote ^^
intersliceon June 13 2006 - 23:15:52
i thought u could change the form value with javascript... thats wat all the other articles said.something about layers i think
DotHacker0on August 08 2006 - 19:47:18
where should i familiarize myself with 'chmod' and 'rm'?
serveoif2on February 02 2007 - 00:31:23
Good job
devilred101on February 24 2007 - 08:24:40
6 isn't explained well enough, nor are most of them
Spiritus55on April 07 2007 - 22:06:06
Any body send me some help on 5? I know what to put in, just not the format. It's nothing in the usernamePfftassword submit (right?) and you put in *@*:*
raizondudeon April 12 2007 - 14:19:14
On basic 16, the same sql command DID work. Is it bugged? But then again, I didn't have to type anything in the box on b7 to complete it!
K-eNtiNon May 06 2007 - 15:13:19
Awesome man thank you!
Sic Re Mortemon May 06 2007 - 21:07:01
hm.... now we need to have an article for the remaining 6 challenges...
x-xon May 09 2007 - 21:04:24
Grin great article v helpful no spoilers lolGrin
XL_Bishopon November 04 2007 - 04:13:55
Very nice article, gives a helping hand, not a helping shoveGrin
COD3on March 03 2008 - 17:21:51
good article helped me out Smile
AMZ19on February 04 2009 - 07:20:53
So am I missing something way too obvious on b9? I can see the username but there doesn't seem to be any password info. is this one bugged or something?
newbeeon December 29 2011 - 07:19:21
you can change the values of the form in b13 using javascript injection. like this :- javascript:void(document.forms[form no.].elements[element no.].options[option no.].value="New Value"Wink;Smile
bahpomet1105on December 03 2015 - 01:56:58
I'm having a problem with 7 my cookies don't show in development options. I'm going to try the javascript injection method next
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.