So far, we’ve explored the first 7 basic missions at HackThisSite.org. The difficulty of these challenges increases at each level, but this one is not too tough if you look at the clues. Here’s the challenge:
The password is yet again hidden in an unknown file. Sam’s daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser).
Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/
However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.
Did you catch that key phrase in the description above? It’s “…executed by the server…” and it’s PHP. That’s what tipped me off. We should be able to execute a simple PHP script from the input box, don’t you think? In PHP you can execute commands with a simple structure. Let’s see what happens if we type in the ls command like this:
[<]!–#exec cmd=”ls”–[>] (brackets to allow proper display only–don’t use them)
That give us some output, but not what we’re looking for, I’m afraid:
Your file has been saved. Please click here view the file.
That output is at ../level8.php. If you click the link to view the file, you’ll see this at ../tmp/[random filename].shtml:
Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml…[and a lot more].
That’s not what we’re looking for.
Oh, wait. We just did a listing of the current directory, /var/www/hackthissite.org/html/missions/basic/8/tmp/; We want to go up one level to /var/www/hackthissite.org/html/missions/basic/8/. Let’s try that command again so we list the parent directory:
[<]!–#exec cmd=”ls ..”–[>] (again, don’t use the brackets)
Voila! Now we get this as the output when we click the link to view:
Hi, au12ha39vc.php index.php level8.php tmp!
The file au12ha39vc.php looks like the one. Plug it into the browser and you get the password: 40087506.