The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.
Level 9
Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.
In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...
This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it.
Solution:
- From the hint, you know you should reuse the skill in Level 8 to find out the obscured password file in this Level.
- Just go back to Level 8 and change the injection code.
< !--#exec cmd="ls ../../9" -- > where the two dots mean "one level up".
because you need to do directory traversal
FROM
/var/www/hackthissite.org/html/missions/basic/8/tmp/
TO
/var/www/hackthissite.org/html/missions/basic/9/ - Then you will get a link which indicates a randomly generated page to you.
Your file has been saved. Please click here view the file.
- There's the text on the page.
Hi, index.php p91e283zc3.php!
Your name contains 24 characters. - Now you know "p91e283zc3.php" is the obscured password file.
Visit:
hxxp://www.hackthissite.org/missions/basic/9/p91e283zc3.php - There's the text on the page.
25728859
- Back to the level page and submit the password
- Congratulations, you have successfully completed basic 9!