dexter@aeron7.com
Amit Ghosh

A carefully careless entrepreneur

Menu
  • Entrepreneur
  • Investor
  • Stories
  • Life Style
    • College
    • Love
    • School
    • Post College
  • Travel
  • Projects
    • Hack This Site Solutions
    • ISI Solutions
  • Misc.
  • Tini’s Games
    • Fantasy Forest
    • Frogtastic
    • Number Snake
    • Painter

HTS Realistic Mission 12 Solution

Hack This Site Solutions  /  February 24, 2001  /  By Amit Ghosh
Home / Projects / Hack This Site Solutions
0 Comments
FacebookTwitterGoogle+PinterestTumblrLinkedInRedditEmailPrint

Perl Script Injection

Collecting Information

Global structure

The first thing we have to do is to get as much information as we can about this portal. We immediately notice that the portal is based on a frameset with:

  • internet.pl: controller
  • page.pl?page=<something>: page that is called from the controller

Read files

In addition, by clicking on student work > Joey Simons > Sign my guestbook, we see a form. Here is the source code

<html><head><title></title></head>

<body bgcolor=”#ffffff” text=”#000000″>

<form action=”../cgi-bin/guest.pl”>

<input type=”hidden” name=”action” value=”write”>

Message:

<input type=”text” name=”text” size=50>

<input type=”submit” value=”submit”>

</form>

</body></html>

We notice that:

  • form action is “../cgi-bin/guest.pl”, a perl script inside cgi-bin/
  • there is a hidden field named action, which value is “write”. We suppose that it exists a value “read” to read files.

Access hard drive

The main controller (internet.pl) is not protected. Indeed, it is possible to request the hard drive content by injecting “file://” instead of “http://”. We discover a new form, named “heartlandadminpanel.html” in C:\WEB\HTML:1

Here is what it looks like (http://www.hackthissite.org/missions/realistic/12/heartlandadminpanel.html)2

By viewing the source code of this page, we notice that the form action is

cgi-bin/heartlandadminpanel.pl

Our first mission is to find valid credential to access the protected content.

Step 1: Find valid credential

Using our *fake* file editor, we are going to view the content of cgi-bin/heartlandadminpanel.pl file. To do so, we are going to enter this address in our URL bar:

http://www.hackthissite.org/missions/realistic/12/cgi-bin/guest.pl?action=read&file=heartlandadminpanel.pl

  • action=read is our supposition, since there is a “write” method, “read” is likely to work
  • file=heartlandadminpanel.pl: we are going to suppose that there is a “file” parameter. Since the guest.pl script is already hosted in the cgi-bin/ directory, we can directly request heartlandadminpanel.pl file

Here is what it produces:

3

The source code of the page gives us the information we are looking for:4

Step 2: Delete list

Access this page:

http://www.hackthissite.org/missions/realistic/12/heartlandadminpanel.html

And log in with:

  • username: jbardus
  • password: heartlandnetworkadministrator

5

Click on “clear all” button and you’re done!

hack this siteHack This Site Realistic Mission 12 SolutionHack This Site Realistic Mission 12 Solutionshack this site solutionsHTS Realistic Mission 12 SolutionHTS Realistic Mission 12 Solutionshts solutionHTS SolutionsRealistic Mission 12 SolutionRealistic Mission 12 Solutions
About the Author

Amit Ghosh

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

NewerHTS Realistic Mission 13 Solution
OlderHTS Realistic Mission 11 Solution
Related Posts
Hack This Site Solutions

By Amit GhoshMay 302

HTS Basic Mission 1 Solution