The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.
The intro for level9 points us towards using SSI and UNIX commands and its directory structure. Well, here we get our first clue. Lets now move on to the description, and see what it says.
Network Security Sam is going down with the ship – he’s determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.
The description firstly tells us where our password file is this time. That’s good. Lets read a little more.
In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how…
Now that’s a little shady. Isn’t it? Why would the developer be talking about last level? Lets read a little more.
This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user’s input. The script finds the first occurance of ‘<–’, and looks to see what follows directly after it.
Here, he tells us about the script, it finds the first occurance of ‘<–‘, and looks to see what follows directly after it. Another hint that SSI commands need to be used. But where do we use these commands this time?
Well, if you intelligent enough by now you would have figured out that we can(will) use the script made my Sam’s daughter in level8. But what will be the command? Well, again we need to do some directory transverse using out last command, so that it lists the contents of ../9/.
Answer: Here is the command, <!-- #exec cmd="ls ../../9" -->
What did we learn?
Directory transversal can be used to invade as many directory as you can think of. And is a big threat to security, so next time you design something, keep that in mind.
Latest posts by Abhishek Gupta (see all)
- Laravel Custom Exception Handlers - March 28, 2019
- Customizing Laravel validation JSON message format - March 20, 2019
- Time killer and addictive Google Games - March 19, 2019