The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.
The intro for level9 points us towards using SSI and UNIX commands and its directory structure. Well, here we get our first clue. Let us now move on to the description, and see what it says.
Network Security Sam is going down with the ship – he’s determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.
The description firstly tells us where our password file is this time. That’s good. Lets read a little more.
In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how…
Now that’s a little shady. Isn’t it? Why would the developer be talking about last level? Let’s read a little more.
This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user’s input. The script finds the first occurance of ‘<–’, and looks to see what follows directly after it.
Here, he tells us about the script, it finds the first occurrence of ‘<–‘, and looks to see what follows directly after it. Another hint that SSI commands need to be used. But where do we use these commands this time?
Well, if you intelligent enough by now you would have figured out that we can(will) use the script made my Sam’s daughter in level8. But what will be the command? Well, again we need to do some directory transverse using out last command, so that it lists the contents of ../9/.
Answer: Here is the command, <!-- #exec cmd="ls ../../9" -->
What did we learn?
Directory transversal can be used to invade as many directory as you can think of. And is a big threat to security, so next time you design something, keep that in mind.
Good luck!!!
- PHP syntactic sugar code example - September 5, 2021
- Python convert random string date format to Datetime - July 12, 2021
- Laravel Custom Exception Handlers - March 28, 2019
Your SSI command may have an error in it as it did not work for me.
Instead, I was able to use a slight variation
The two hyphens got converted into a dash automatically. Fixed anyways.
Noob Q Here: It says ” it finds the first occurance of ‘<–"
But the answer uses the "<!–" And when i read about unix command and ssi it said that the most immportant thing is to be precise with the commands – so this threw me a bit -i just want to know how you KNEW to try that
any advice would be greatly appreciated
thanks
Read para 2 again, carefully. “… in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password… ”
The whole purpose of next para is to confuse the reader.
Ok i think ive finally got it (after much reading!) and your much appreciated help – thanks for replying
I found this site (it was the first result) by searching google for “ variations”. I was surprised and dissapointedto see you giving the answer away. Shame on you! :p