Goodnight Byte: HackThisSite Walkthrough, Part 7 - Legal Hacker
Last Friday's mission was to accomplish solving HackThisSite, basic mission 8. This meant that we had to learn some more basic Unix commands.
These missions are for everyone here, and you can join at any time. Your experience level doesn't matter. HackThisSite is a free, legal and safe practice ground for aspiring hackers wanting to test their knowledge on something real. We have full permission to exploit their servers, and we even get point rewards for it. This week's mission on HackThisSite was to exploit the program on the page that creates a sentence echoing the users name and length. If we enter "Alex", we get:
Your name contains 4 characters."
"Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/hackthissite.org/html/missions/basic/8/
However, Sam's young daughter Stephanie has just learned to program in PHP. She's talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability."
When we test the script, it returns our name, along with how many characters it is in length. In order to exploit this script, we need to trick it into thinking a command we type is HTML, so it can execute the malicious code we put into it.
To exploit this, we need to mask our command in an HTML comment.
<!--#exec cmd="ls .." -->
This tells the server to excute the command ls in a terminal, replacing the returned names with a subdirectory listing.
Now that we have a bunch of files listed in place of our names, let's explore the most obvious option and view the obscurely named PHP file in this directory by replacing the end of the URL with this. This will reveal our password! Enter it in the field and the mission should credit your HTS account with the points.
Want more Null Byte?