Back to list
CTFVery Easy

HackThisSite — Basic Mission 2

Ducky
2026-05-19
9 views
1 min read

HackThisSite — Basic Mission 2

Vulnerability

Missing password file — no comparison possible.

Analysis

The script loads the password from an external .txt file, then compares it to whatever the user submits.

Sam never uploaded that file.

When the file is missing, the script has nothing to compare against — so submitting an empty string passes the check by default.

Exploit

  1. Leave the password field blank
  2. Hit Submit

That's it.

Root Cause

No null/empty check on the loaded password value. Missing file → empty/null comparison → blank input matches.

Key Takeaway

Always validate that required files and secrets actually exist before running comparison logic. A missing file should trigger an error, not a silent pass.

Tags

#hackthissite#basic mission 2#/missions/basic/2/

Keep Reading

Related writeups

CTFVery Easy

HackThisSite — Basic Mission 11

Apache directory listing is enabled and `.htaccess` is publicly readable — fuzzing reveals the hidden directory structure and leaks the password filename.

#hackthissite#Basic Mission 11#basic-mission-11
2026-05-19
ducky
26
2m
CTFVery Easy

HackThisSite — Basic Mission 10

Authorization is stored in a client-side cookie as `level10_authorized=no` — changing it to `yes` grants instant access.

#hackthissite#Basic Mission 10#basic-mission-10
2026-05-19
ducky
23
1m
CTFVery Easy

HackThisSite — Basic Mission 9

No injection point in Level 9 itself — reuse Basic 8's SSI vulnerability with a traversal path pointing to Level 9's directory to expose the hidden password file.

#hackthissite#Basic Mission 9#basic-mission-9
2026-05-19
ducky
17
1m