Posted by: Ken Harthun
Command line, Ethical hacking, Linux, Password, Security
Once again it’s a slow security news week, so time to tackle the next hacking skills challenge level. So far, we’ve explored the first 6 basic missions at HackThisSite.org. The difficulty level is supposed to increase at each level, but this one is only difficult if you don’t know Linux. Here’s the challenge:
This time Network Security Sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.
In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command.
This one is so easy you don’t even have to look at the source code. But you do have to know about chaining commands in Unix.
If you enter a year, you’ll get a full 12-month calendar with all weeks beginning on Sunday displayed on the resulting output page. This is default behavior of the cal command. It looks like all the script does is execute the command, taking your input as a parameter. We can prove this by leaving the field blank; the script returns the current month and year, i.e., default behavior.
The key to cracking this one is the phrase “…obscurely named file saved in this very directory.” We know the permissions are good to run commands on that directory, so let’s just chain the ls — list directory contents — command and see what happens. (You chain commands in Linux using && between them.) Enter the following in the text box: && ls and click the View button. Here’s the output:
October 2009 Mon Tue Wed Thu Fri Sat Sun 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 . .. level7.php cal.pl index.php k1kh31b1n55h.php perl5.8.9.core
Looks to me like k1kh31b1n55h.php is our file. Stick it in the URL and open it up. Voila! The password, f866d6b9, is revealed.