Intro 4 | Defend the Web

Senior Brogrammer
2 min readJul 2, 2022

Knowledge of traversing file directories is required

Hacker Silhouette | Credit: B_A on Pixabay

Problem

Finally upgrading the difficulty on these challenges that go outside of just inspecting the page and finding the password in the HTML. You’ll need understanding of file directories to figure this one out.

One day we will get a hint

Solution

So to start off just start off by inspecting the page, I usually start at the username/password form and start searching. If you just CTRL + F and search for “password” you’ll find an interesting piece.

<input type="hidden" name="passwordfile" id="passwordfile"     
    value="../../extras/playground/9d2K4Fw.json" 
    maxlength="" placeholder="" class="u-full-width">

As weird as this may sound this used to be an old method of loading users up into a single page as usually it was a 1–2 developer site with not a lot of knowledge about security.

So only trick is to convert the ../../ means we have to go back 2 directories on the web server. If that is confusing just treat the slashes identically as you would for a file system and go back 2.

https://defendtheweb.net/extras/playground/<FILE_HASH>.json

That URL will take you to a page with a username and password in JSON format. Enter those values in and you’ll be completed with this introductory mission.

Thanks for the read.

Senior Brogrammer

Written by Senior Brogrammer

1.7K Followers

Steve Ballmer's #1 Fan

More from Senior Brogrammer

See all from Senior Brogrammer