A Challengers Handbook




So called hidden challenges are popular, although these points generally apply to all challenges that use some kind of misdirection or hiding. Generally it is limited as to where things can be hidden, so heres what to look at:

  • HTML source code. You will need to go over this with minute attention to detail. There are many ways to hide things in html, for example:
  • Check all picture and files linked from the challenge page. Do they contain hidden messages visually or steganographically ?
  • Check the web page request and response in the log window in Proxomitron for strange headers and new cookie values being set. Check for any strange goings on like redirection from one page to another.
  • Check your cache for any strange files like javascript or applet files that you didnt previously notice. Check any css in your cache.

    One particular site, some time ago (its now all been changed), had a large number of hidden challenges. Every level was a 'find the exploit and we will tell you nothing else' type of level. No clues, nothing. The way it generally worked was you would try things out, look for directories with certain names, etc. My approach to this type of level is to use a resource like that at The Rudi Carell lists (bottom of page) and try out the common exploited directories - cgi, cgi-bin, _vti_pvt, admin, secure, private, bin, images, and so on. Also try out common files - .htpasswd, .htaccess, etc. Most challenges will have a hierarchical directory structure level1/level2/level3, and so you will be checking level1/level2/level3/cgi-bin/ , etc.

    When all else fails it is worth taking a break and trying it again at a later point in time. The answer was probably staring you in the face all the time. I remember one answer that was on a 404 page and unless you spotted it was not the usual 404 page then you would never have found it. So remember that if you know a certain challenge has a hidden element to it then do not offhandedly dismiss anything at all.

    Back to Contents