22 January 2021

Pentesting Fun Stuff

following the cyber security path…



When checking my twitter-feed there was a tweet from @Bill_Matthews with a reference to this site. Because I like a challenge, I had to participate. Like always I write up my findings to not only learn from the experience, but also in the hope it can help others.




HackerTest.net is your own online hacker simulation.
With 20 levels that require different skills to get to another step of the game, this new real-life imitation will help you advance your security knowledge.
HackerTest.net will help you improve your JavaScript, PHP, HTML and graphic thinking in a fun way that will entertain any visitor!
Have a spare minute? Log on! Each level will provide you with a new, harder clue to find a way to get to another level.
Will you crack HackerTest.net?_

Level 1

Checking the source code there is a script:
<body onLoad=password()>

var a is a string which will be accepted as the password. In this case ‘null’.

Level 2

Again I find the answer in the source code.

To make no mistakes…..it says l3l, not 131

Level 3

The answer is again in the source code.

pw = windows.document.alinkColor > alink = #000000

Level 4 + 5

When I click the link it takes me to the level 5 (I guess level 4 is a present). But because I don’t have the right password it closes the page and brings me back to level 4 page. To solve this problem I copy the location from the hyperlink and use it with ‘view-source:’ in front of it. Like always the solution is in the source code.

Level 6

Looking at the source code there is a js file named psswd.js. When I follow it, I get the answer of this riddle.

Level 7

When looking at the source code the answer can be found in /images/included.gif.

Level 8

When looking at the source code it says:

But after looking down the code I found /phat.php. When following that file I got /images/phat.gif and when I viewed that file there was a remark about looking for a PhotoshopDocument. Instead of looking for /images/phat.gif, I looked for /images/phat.psd. After downloading the file and stripping all the layers, there was an username and password visible.

Level 9

The answer is found in the source code.

Level 10

On the site there is a piece of text. I notice that there are some letters that are in italic.
When I make a string of these letters, I get ‘shackithalf’. This turns out to be the password to advance.
In the source code there is the part I need to get to level 11.

Level 11

When viewing the souce code, I find the answer for the next level.

Level 12

In the source code there is another picture. When looking closely at the picture, I can see the answer to next page. There is a clue about using graphic software. But that’s not needed.

Level 13

When viewing the source code, I notice images/lvl13.gif. When looking closely again, I get a clue.

Level 14

When viewing the source code there is a gif. To split the gif file I use https://www.gif-explode.com/

Level 15 + 16


Following the directories, I get a broken jpg. After a hexdump I can see the answer.

Level 17

In the source code there is a piece of code with the answer.

When I enter my IP address as password there is a piece of text with the answer for the next level.

Level 18

Think like a n00b. Looking at http://www.hackertest.net/images/n00b.gif the hint was clear. The answer wasn’t in the source code either. To clear this level, you really have to think like a noob and try the password ‘password’.

Level 19

When looking in the source code the answer is right there.

When I use gimp to read the gif file I get the answer for the next level.

Level 20

Looks like the first string is hex and the second one is base64 encoded. It requires time… be patient. The first line is decoded quickly.
After I decode the second line, I get another base64 encoded text. It takes me a few times before I get at the end.
@Bill_Matthews pointed me out I missed something on this page. After looking closer I found the thing he was pointing out. You can read it in the source code, but it is also readable when selecting all text (CTRL+A).

After trying different options, I came out at http://www.hackertest.net/gb22332/ which tried to load http://www.hackertest.net/gb22332/login.php and resulted in an error 505.

Maybe a hint.

This lifts my spirit. A hint to ‘The Hitchhiker’s Guide to the Galaxy’?
In the source code there is a comment.



Because I missed a crucial piece of the puzzle I thought this challenge was ending a bit odd. But after finding the missing piece, I finally could finish this challenge with a satisfying feeling.
To learn how to hack and execute pentesting, I would suggests some other (and in my opinion better) resources, but to really finish this challenge you definitely need the hacker mentality! Nonetheless I enjoyed this challenge.
Still there are some questions left unanswered. Like, what is the secret code for? Why was there a comment in the gif file containing a gmail address?
I let these questions to others who are interested in solving a peculiar puzzle. If you do find the answers…let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.