A Challengers Handbook
So called hidden challenges are popular, although these points generally apply to all challenges that use some kind of misdirection or hiding. Generally it is limited as to where things can be hidden, so heres what to look at:
HTML source code. You will need to go over this with minute attention to detail. There are many ways to hide things in html, for example:
Check all picture and files linked from the challenge page. Do they contain hidden messages visually or steganographically ?
Check the web page request and response in the log window in Proxomitron for strange headers and new cookie values being set. Check for any strange goings on like redirection from one page to another.
- Including comments in the html with comment tags <!-- comment -->.
- Adding tabs and spaces at the end of lines. Select all text and note if any lines look strangely long - if they do then save the page and edit it in a hexeditor where you can see the 09h and 20h codes of tabs and spaces. Chances are that a program called snow has been used to add this data.
- Scripts can include all manner of strangeness. For example comments, or a password checking routine that is never called but is the problem solution.
- Links with nothing for you to click on, or links just where you woud not expect them.
- Text in the same colour as the page background.
- Links to images or files in another directory, where that directory contains some other data. Particularly look out for relative vs absolute links. A website may normally have images in its /images dir but a link may be to images/pic.gif and you have an extra subdir called images that contains some other information.
- Look for anything out of the ordinary - every level might be the same but this one has a different forum or a different picture for its logo. Compare it to previous levels.
- Any strange encrypted text is to be investigated with high priority!
One particular site, some time ago (its now all been changed), had a large number of hidden challenges. Every level was a 'find the exploit and we will tell you nothing else' type of level. No clues, nothing. The way it generally worked was you would try things out, look for directories with certain names, etc. My approach to this type of level is to use a resource like that at The Rudi Carell lists (bottom of page) and try out the common exploited directories - cgi, cgi-bin, _vti_pvt, admin, secure, private, bin, images, and so on. Also try out common files - .htpasswd, .htaccess, etc. Most challenges will have a hierarchical directory structure level1/level2/level3, and so you will be checking level1/level2/level3/cgi-bin/ , etc.
When all else fails it is worth taking a break and trying it again at a later point in time. The answer was probably staring you in the face all the time. I remember one answer that was on a 404 page and unless you spotted it was not the usual 404 page then you would never have found it. So remember that if you know a certain challenge has a hidden element to it then do not offhandedly dismiss anything at all.
Back to Contents