Basic 9: Not difficult but tricky

The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.

The intro for level9 points us towards using SSI and UNIX commands and its directory structure. Well, here we get our first clue. Lets now move on to the description, and see what it says.

Network Security Sam is going down with the ship – he’s determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

The description firstly tells us where our password file is this time. That’s good. Lets read a little more.

In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how…

Now that’s a little shady. Isn’t it? Why would the developer be talking about last level? Lets read a little more.

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user’s input. The script finds the first occurance of ‘<–’, and looks to see what follows directly after it.

Here, he tells us about the script, it finds the first occurance of ‘<–‘, and looks to see what follows directly after it. Another hint that SSI commands need to be used. But where do we use these commands this time?

Well, if you intelligent enough by now you would have figured out that we can(will) use the script made my Sam’s daughter in level8. But what will be the command? Well, again we need to do some directory transverse using out last command, so that it lists the contents of ../9/.

Answer: Here is the command, <!-- #exec cmd="ls ../../9" -->

What did we learn?

Directory transversal can be used to invade as many directory as you can think of. And is a big threat to security, so next time you design something, keep that in mind.

Good luck!!!

Follow me

Abhishek Gupta

I am Abhishek from Lucknow (India). I have been working as a software engineer from last 6+ years, and its my passion to learn new things and implement them as a practice.
Follow me

Latest posts by Abhishek Gupta (see all)

6 Replies to “Basic 9: Not difficult but tricky”

  1. Noob Q Here: It says ” it finds the first occurance of ‘<–"
    But the answer uses the "<!–" And when i read about unix command and ssi it said that the most immportant thing is to be precise with the commands – so this threw me a bit -i just want to know how you KNEW to try that
    any advice would be greatly appreciated
    thanks

    1. Read para 2 again, carefully. “… in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password… ”
      The whole purpose of next para is to confuse the reader.

  2. I found this site (it was the first result) by searching google for “ variations”. I was surprised and dissapointedto see you giving the answer away. Shame on you! :p

Leave a Reply