Tue, Jan 05, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Similarly to the previous challenges we must discover a password to continue to the following challenge. Our hint is that Sam has saved the unencrypted password in some obscured file in the current directory (/missions/basic/7/). Sam has also has setup a script that returns the UNIX cal command on this webpage.
The hint tells me that Sam takes as input of the year and passes it to the unix cal command. We should see if Sam has sanitized his input. This can be quickly tested by doing something like: ; ls. What this would do is, lets say Sam opens a command prompt with his script and runs: cal ‘input’, then I can hijack this call by adding on further commands afterwards. I have hijacked it with the list command to show what is within the workign directory. We then scroll down to the redirected html page that shows our result and see that we have successfully listed the contents of the working directory!
The files that are listed is the current webpage (index.php), level7.php (probably checks the password), cal.pl (pearl file that handles the cal UNIX command script), and finally our desired password filename! Since I now have the filename of the password, I can simply copy paste said filename and go to it through the browser. Success! We have opened the password file and can simple copy the password from here and paste it into the password form. Voila! I have completed this challenge.