"Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/
However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability."
In this mission we are told that knowledge of Server-Side Includes (SSI) is necessary in order to complete it. The first thing you must do therefore is google ssi and read up on it. There's no need for me to go into the ins-and-outs of what SSI is but in Layman's terms it allows you to dynamically execute code on a web page. After doing some research you should be fairly comfortable with what SSI is and how to use it. Knowledge of directory traversal is also needed for this mission.
From the description within the mission we know that "Stephanie" has created a php program that has an exploitable security flaw in it. So we first need to use that program and see what it does. As you can see it saves your input into a file in a temporary folder named "tmp" and then includes this file when after the "Hi, " statement. This is where our knowledge of SSI comes in.
We can presume at this point that the security flaw is that input does not get checked and that you can add your own SSI injection into the field that will be executed when included in "Stehpanie's" program. So we test it: "". Straight away we know that the input is not immediately checked as the file does get saved. From clicking on the link we can see that our arbitrary code gets executed and all the files in the "tmp" folder are displayed (because we used the *nix command "ls").
This is where our knowledge of directory traversal comes into play. At this point we know we can use SSI injections (although this is limited for the sites own security; any commands executed that aren't the right ones won't get executed and a message saying you're on the right tracks will be outputted). At the moment the "ls" command is outputting everything in the "tmp" folder but this is not the folder we want being outputted; we need to jump back a directory using "..". Therefore the new command is "". This outputs the file containing the password and just needs to be viewed to obtain the it. Well done you just completed basic 8!
This comment has been removed by the author.
ReplyDeleteSo, I don't totally understand why this would do something but "<b>test</b>" would return (something comments can't display involving character codes).
ReplyDeleteIt seems like it's checking for exit characters. And isn't "<.!.-.-" (minus dots) just a comment tag? Why would a comment tag be parsed while raw html is not?