Description:
Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program in Basic 7. This time he has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/. Also, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, & she wrote a script to demonstrate her ability.
Requirements: SSI knowledge.
Hints:
- This challenge’s logic is similar to Basic 7, but instead of UNIX commands it uses SSI.
- When you play with Stephanie’s script, pay attention to which directory the page that displays your input is in, & remember which directory the description told you that the password file is in.
Difficulty: Easy.
Points: 40
Challenge Link: https://www.hackthissite.org/missions/basic/8
Forum Link: https://www.hackthissite.org/forums/viewforum.php?f=14&t=10754
Solution:
From the description and requirements, we can get the idea that the SSI (Server Side Includes) directives are being used to generate dynamic content at the server side.
Here we can control the name input that is placed inside the file that have the .shtml extension so SSI injection can be possible.
We can use payload like “<! — #exec cmd=“ls” →” to list the files but generated file are in “missions/basic/8/tmp/” directory but the password file that we are looking for is in “missions/basic/8/” directory so we have to go one step up. The payload:
<!--#exec cmd="ls ../" -->
Output:
Visiting the path of “au12ha39vc.php” file we get the password for this challenge.
Happy Hacking