Command line

Hacking Skills Challenge - Level 8

So far, we’ve explored the first 7 basic missions at HackThisSite.org. The difficulty of these challenges increases at each level, but this one is not too tough if you look at the clues. Here’s the challenge:

The password is yet again hidden in an unknown file. Sam’s daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser).

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.

Did you catch that key phrase in the description above? It’s “…executed by the server…” and it’s PHP. That’s what tipped me off. We should be able to execute a simple PHP script from the input box, don’t you think? In PHP you can execute commands with a simple structure. Let’s see what happens if we type in the ls command like this:

[<]!–#exec cmd=”ls”–[>] (brackets to allow proper display only–don’t use them)

That give us some output, but not what we’re looking for, I’m afraid:

Your file has been saved. Please click here view the file.

That output is at ../level8.php. If you click the link to view the file, you’ll see this at ../tmp/[random filename].shtml:

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml…[and a lot more].

That’s not what we’re looking for.

Oh, wait. We just did a listing of the current directory, /var/www/hackthissite.org/html/missions/basic/8/tmp/; We want to go up one level to /var/www/hackthissite.org/html/missions/basic/8/. Let’s try that command again so we list the parent directory:

[<]!–#exec cmd=”ls ..”–[>] (again, don’t use the brackets)

Voila! Now we get this as the output when we click the link to view:

Hi, au12ha39vc.php index.php level8.php tmp!

The file au12ha39vc.php looks like the one. Plug it into the browser and you get the password: 40087506.

Mission accomplished!

Hacking Skills Challenge - Level 7

Once again it’s a slow security news week, so time to tackle the next hacking skills challenge level. So far, we’ve explored the first 6 basic missions at HackThisSite.org. The difficulty level is supposed to increase at each level, but this one is only difficult if you don’t know Linux. Here’s the challenge:

The password is hidden in an unknown file, and Sam has set up a script to display a calendar. Requirements: Basic UNIX command knowledge.

This time Network Security Sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command.

This one is so easy you don’t even have to look at the source code. But you do have to know about chaining commands in Unix.

If you enter a year, you’ll get a full 12-month calendar with all weeks beginning on Sunday displayed on the resulting output page. This is default behavior of the cal command. It looks like all the script does is execute the command, taking your input as a parameter.  We can prove this by leaving the field blank; the script returns the current month and year, i.e., default behavior.

The key to cracking this one is the phrase “…obscurely named file saved in this very directory.” We know the permissions are good to run commands on that directory, so let’s just chain the ls — list directory contents — command and see what happens. (You chain commands in Linux using && between them.) Enter the following in the text box: && ls and click the View button. Here’s the output:

       October 2009
Mon Tue Wed Thu Fri Sat Sun
              1   2   3   4
  5   6   7   8   9  10  11
 12  13  14  15  16  17  18
 19  20  21  22  23  24  25
 26  27  28  29  30  31

.
..
level7.php
cal.pl

index.php
k1kh31b1n55h.php
perl5.8.9.core

Looks to me like k1kh31b1n55h.php is our file. Stick it in the URL and open it up. Voila! The password, f866d6b9, is revealed.

Mission accomplished!

Use This Little Known Tool to Securely Delete Files and Folders on Your Hard Drive

For those who grew up with the graphical user interface, command line tools are often seen as arcane remnants from the dawn of PC history, a time when badly-dressed nerds sporting horn-rimmed glasses and pocket protectors ruled the universe (well, maybe just the computer lab). For them, nearly all of the command line tools are little known; for us dinosaurs who were typing on terminals well before the PC arrived, there are few of these older tools we haven’t seen. However, as the GUI gradually replaced the command line and we command line geeks began to point and click more and more, some useful tools escaped our notice. One of these is the ten-year-old SDelete by Mark Russinovich of Sysinternals fame. Microsoft acquired Sysinternals in July, 2006 and made all of the excellent tools available free.

Using SDelete

SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk. SDelete accepts wild card characters as part of the directory or file specifier.

Usage: sdelete [-p passes] [-s] [-q] <file or directory>
sdelete [-p passes] [-z|-c] [drive letter]

-c     Zero free space (good for virtual disk optimization).

-p passes     Specifies number of overwrite passes.

-s     Recurse subdirectories.

-q     Don’t print errors (quiet).

-z     Cleanse free space.

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, which is overkill (see The Great Drive Wiping Controversy Settled at Last), but ensures your data is deleted forever. There is one caveat: SDelete securely deletes file data, but not file names located in free disk space. If you want to be completely sure that all traces of a file are gone, be sure to use the –c or –z option.

#####

Want to see even more useful, little known tools? Check out Sysinternals Live:

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolnam…; or  \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.