Tue, Jan 05, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Similarly to the previous challenges we must discover a password to continue to the following challenge. Our hint is that Sam has saved the unencrypted password in some obscured file in the current directory (/missions/basic/8/). Sam’s daughter, Stephanie, has also added a script that seems to save some file locally on their server thats dependent on a form that asks for my name.
Firstly, I will just test out this save file feature that Stephanie has added to this webpage. Using a name like Stephanie (hoping for some kind of easter egg) I see that I am redirected to a webpage that says click here to view the file (typically, I would not recommend clicking on anything on a webpage that looks like this but for education? why not). Clicking on the link takes us to a webpage (an .shtml) file that seems to have inserted our name that we previously entered into the webpage. Magic!
Now, I’m not very familiar with .shtml files so a quick google search is in order. Looks like .shtml files are server side include files, which can be used to build dynamic webpages - similarly to how Jekyll works. Interestingly, I see that one of the commands that you can use is the <!--#exec --> command that can execute a program, script or shell command. Since we need to find the password file in this directory, maybe I can execute a shell and use ls to list the working directory contents. To do so, I will use the following name to ensure that the server side includes will execute my command: <!--#exec cmd="ls" -->. This in turn, lists a bunch of weirdly named file names. I seem to have not noticed that this file is create in the directory /missions/basic/8/tmp/ which is not the directory that we need. So, I will make sure to list the directory that is needed by altering my hijacked name with <!--#exec cmd="ls .." -->. Here we see the contents of the /missions/basic/8/ folder and can see an obscurely named php file, probably the password! I will access it directly through the browser to see what it is. Upon doing so, we now have the password! Onto the next mission.