Back to list
CTFVery Easy

HackThisSite — Basic Mission 3

ducky
2026-05-19
20 views
1 min read

What Happened

A hidden <input> in the form reveals exactly where the password is stored:

Navigating directly to: https://www.hackthissite.org/missions/basic/3/password.php

Returns the plaintext password: 97c22eaa

Root Cause

Two mistakes combined:

  1. Hidden inputs are not secret — view source exposes them instantly
  2. Password file is publicly accessible — no access control on the file path

Key Takeaway

"Hidden" in HTML means hidden from the UI, not from the user. Sensitive files must be protected server-side — never referenced directly from client-side code.

Tags

#basic mission 3#basic-mission-3#/missions/basic/3/#hackthissite

Keep Reading

Related writeups

CTFVery Easy

HackThisSite — Basic Mission 11

Apache directory listing is enabled and `.htaccess` is publicly readable — fuzzing reveals the hidden directory structure and leaks the password filename.

#hackthissite#Basic Mission 11#basic-mission-11
2026-05-19
ducky
26
2m
CTFVery Easy

HackThisSite — Basic Mission 10

Authorization is stored in a client-side cookie as `level10_authorized=no` — changing it to `yes` grants instant access.

#hackthissite#Basic Mission 10#basic-mission-10
2026-05-19
ducky
23
1m
CTFVery Easy

HackThisSite — Basic Mission 9

No injection point in Level 9 itself — reuse Basic 8's SSI vulnerability with a traversal path pointing to Level 9's directory to expose the hidden password file.

#hackthissite#Basic Mission 9#basic-mission-9
2026-05-19
ducky
17
1m