What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-09-09

Hack This Site! - Basic 7

Description:

The password is hidden in an unknown file, and Sam has set up a script to display a calendar. Requirements: Basic UNIX command knowledge.

Level 7

This time Network Security Sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script:

Enter the year you wish to view and hit 'view'.
___________________
|___________________| 
view

Password:
___________________
|___________________| 
submit
Solution:
  1. First, you could input "2012" into the field and press view, then it will display the calendar of 2012 from Sam's computer. Yes, it's an Unix-like system, and the result is from a PERL CGI (Common Gateway Interface) called cal.pl.
  2. You need to know the basic command to list files and directories in Unix-like system is "ls".
  3. And the other thing you need to know in Unix-like system is the semicolon separator tells bash to execute each program consecutively in the order you give.
  4. So, back to the level page, and this time you should input "2012; ls" in the field and press the view button. In the bottom of the displayed page, you will find the list of files and directories below.
    .
    ..

    cal.pl
    index.php
    k1kh31b1n55h.php
    level7.php
  5. Access the php file directly
    Visit: hxxp://www.hackthissite.org/missions/basic/7/k1kh31b1n55h.php
  6. There's the text on the page.
    38f96efd
  7. Back to the level page and submit the password
  8. Congratulations, you have successfully completed basic 7!