Security Corner

Oct 30 2009   3:11PM GMT

Hacking Skills Challenge – Level 8

Ken Harthun Ken Harthun Profile: Ken Harthun

So far, we’ve explored the first 7 basic missions at HackThisSite.org. The difficulty of these challenges increases at each level, but this one is not too tough if you look at the clues. Here’s the challenge:

The password is yet again hidden in an unknown file. Sam’s daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser).

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.

Did you catch that key phrase in the description above? It’s “…executed by the server…” and it’s PHP. That’s what tipped me off. We should be able to execute a simple PHP script from the input box, don’t you think? In PHP you can execute commands with a simple structure. Let’s see what happens if we type in the ls command like this:

[<]!–#exec cmd=”ls”–[>] (brackets to allow proper display only–don’t use them)

That give us some output, but not what we’re looking for, I’m afraid:

Your file has been saved. Please click here view the file.

That output is at ../level8.php. If you click the link to view the file, you’ll see this at ../tmp/[random filename].shtml:

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml…[and a lot more].

That’s not what we’re looking for.

Oh, wait. We just did a listing of the current directory, /var/www/hackthissite.org/html/missions/basic/8/tmp/; We want to go up one level to /var/www/hackthissite.org/html/missions/basic/8/. Let’s try that command again so we list the parent directory:

[<]!–#exec cmd=”ls ..”–[>] (again, don’t use the brackets)

Voila! Now we get this as the output when we click the link to view:

Hi, au12ha39vc.php index.php level8.php tmp!

The file au12ha39vc.php looks like the one. Plug it into the browser and you get the password: 40087506.

Mission accomplished!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: