Episode: 179
Title: HPR0179: Hack This Site
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0179/hpr0179.mp3
Transcribed: 2025-10-07 12:58:49

---

So
Welcome to this episode of Hanging Public Radio with Mizook.
Today I'm going to talk about a website that I really should spend more time on, but generally
don't.
The website is called HEC, this site, www.hackthiscite.org.
That's Hotel Alpha Charlie Kilo Tango Hotel, India, Sierra, Sierra, India, tango, echo, dot,
Oscar Romeo Golf.
To read the blurb at the front, HEC, this site is a free, safe and legal training ground for
HEC to test and expand their hacking skills.
More than just another HEC or wall game site, we're a living breathing community with many
active products and development with the vast selection of blah blah blah stuff.
Anyway, basically they have a bunch of things.
They do various challenges and they have various lectures and articles and news and information
and stuff.
The challenges here, they have the basic missions, realistic missions, application, programming
logic, extended basic JavaScript and Stego missions.
If I click on the basic missions and load it up and see what I've got, these are the very basic
just easy into some of these things.
And the idea is that they've created sites on their server with certain vulnerabilities
and you have to exploit those vulnerabilities to actually get it.
I'm going to do something you shouldn't do. I'm going to actually explain how to the
first basic mission, this is really, really simple.
And if you can't do this one, then you shouldn't be doing the site.
But you can click on the first basic mission and it loads, you're up and it says,
yeah, basically test your skills to see if you can do any of these missions, requirements, HTML.
So it loads a page up here and says, this level is what we call the idiot test.
If you can't complete it, don't give up learning all you can but don't go begging to
someone else for the answer. That's one way to get you hated.
Make follow up, enter the password and you can continue so it has a password box.
And the standard thing and most of these ones is to right-click and view the page source.
And you see what exactly they're doing and you can see what the box is so we can look at all this stuff.
And in this case, we can search for password box.
And if you find, you'll find the bit here, you see a form action and a method post and
put password, name password and put some blah, blah, blah.
Anyway, you have the bit there and it should be fairly obvious what the password is.
Not actually going to give it out.
But if you're following on, you basically you figure it out by now.
So you can put that in submit and then it says congrats.
You've completed the basic one again.
Well, for you guys, it won't.
It'll just say you've congratulated you for completing the basic one.
Here's 10 points or something. You have points and you can see how high you go out.
The basic, extended basic, realistic JavaScript missions are all about.
Websites JavaScript are all JavaScript-based.
The basic, pretty much looking at the source code fixes out on the realistic group.
A bit more interesting.
Application missions are working on actual applications.
Here's an application.
Crack the password on it kind of thing.
The programming missions are, you have to bridge programs to do stuff.
The logic missions, the logic missions are weird.
They're the sort of logic puzzles, almost 55 pence in two coins.
One of them is not a 50 pence piece.
One of the two coins.
And of course, the answer is the two coins are 50 pence piece and a 5 pence piece, I said.
One of them is not the other one, but 50 pence.
That kind of thing, logically, you have to think exactly what they say.
One of them is, gives you a person to see what's their password.
I think it's really fun.
I really don't go on as much as I should.
And I don't do it as much as I should.
So I've got an account.
This is actually a really old one before I started using the word Zook.
I'm toying with the idea of actually restarting Zookup on here and do it.
Anyway.
But my rank is printer.
So I have 1,377 points and you can gain more for doing things.
And it gives you a list of everything you've done,
a whole of fame points, lectures given, and all this kind of stuff.
And it lets you brush up on your hacking things.
And also how to defend against it.
I said, I learned a lot about SQL injection from this.
And then I went to my own website and checked.
I made sure that none of my sites were vulnerable to the SQL injection.
Which they weren't, because, yeah.
Running through plenty of stuff, they just two updates for you, basically.
As long as you keep the latest version and they nag you telling you,
you know, Drupal will email you when this updates and things.
You don't need to worry about it too much.
But there's a bunch of different things.
There's really, really cool sites.
I highly recommend you go and have a look at it.
It's lots of fun.
Go and have a play.
Just don't keep asking me for questions about it.
Because whilst you can give hints out, you're not going to give the passwords out.
So there we go.
Have fun everyone.
Thank you for listening.
I've been Soak.
And this has been Hacker Public Radio.
Thank you for listening to Hacker Public Radio.
HPR is sponsored by Caryo.net.
So head on over to C-A-R-O-DOT-E-N-T for all of us in need.
Thank you.