Sunday, 24 April 2011

Hack This Site (HTS) Basic 9

The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.

"Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how...

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user's input. The script finds the first occurance of '<--', and looks to see what follows directly after it."



This mission is almost identical to the previous and needs the same level of knowledge of SSI and directory traversal. You already know from the mission description that he has screwed up in allowing the viewing of files to only the level 8 directory and so you will need to go back to the level 8 mission to take advantage of the SSI injection vulnerability.

As a reminder I did a test input again to show you that your file gets saved into a temporary folder. In the last mission we executed the command "ls .." which took us from /missions/basic/8/tmp to /missions/basic/8 where the password file was kept. However, now we need to get to the 9th basic mission so not only do we need to jump back one more directory, we then need to jump into a new directory so the command becomes "ls ../../9". From here we have access to the new password file and mission 9 becomes completed :)

Hack This Site!

No comments:

Post a Comment