Back to list
CTFVery Easy

HackThisSite — Basic Mission 4

ducky
2026-05-19
19 views
1 min read

HackThisSite — Basic Mission 4

What Happened

Inspecting the form reveals a hidden field:

The script blindly emails the password to whatever address is in this field.

Exploit

  1. Open DevTools → Inspector
  2. Find the hidden to input
  3. Change sam@hackthissite.org to your HTS registered email
  4. Click "Send password to Sam"
  5. Check your HTS inbox — password arrives in the message

Root Cause

The email recipient is controlled entirely by the client via a hidden input. The server never validates or restricts who it sends to.

Key Takeaway

Never trust client-supplied form values for sensitive operations. The recipient of a password email must be hardcoded or validated server-side — never sourced from user-controllable input.

Tags

#hackthissite#basic mission 4#/missions/basic/4/

Keep Reading

Related writeups

CTFVery Easy

HackThisSite — Basic Mission 11

Apache directory listing is enabled and `.htaccess` is publicly readable — fuzzing reveals the hidden directory structure and leaks the password filename.

#hackthissite#Basic Mission 11#basic-mission-11
2026-05-19
ducky
26
2m
CTFVery Easy

HackThisSite — Basic Mission 10

Authorization is stored in a client-side cookie as `level10_authorized=no` — changing it to `yes` grants instant access.

#hackthissite#Basic Mission 10#basic-mission-10
2026-05-19
ducky
23
1m
CTFVery Easy

HackThisSite — Basic Mission 9

No injection point in Level 9 itself — reuse Basic 8's SSI vulnerability with a traversal path pointing to Level 9's directory to expose the hidden password file.

#hackthissite#Basic Mission 9#basic-mission-9
2026-05-19
ducky
17
1m