Wed, Jan 06, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Similarly to the previous challenges we must discover a password to continue to the following challenge. Our hint is that Sam has saved the unencrypted password in some obscured file in the current directory (/missions/basic/9/). It also says that there is a way to get the obscured level 9 password through the previous mission. Lastly, it says the the script (that the creators of the website have implemented to reduce users seeing their entire file structure) finds the first occurance of <!-- and looks to see what follows directly after.
The hint instantly tells me that the creators of this site have a regex that limit which server side include tags are allowed, along with which commands are allowed. Going back to the mission 8 page, we will begin to test which commands are allowed and which are not. Doing a test on <!--#exec cmd="ls ../.." --> shows that it is blocked as expected. Although, what if I do something like the following: <!--#exec cmd="ls" --> <!--#exec cmd="ls ../../9/"-->. Sadly, this seems to be blocked, meaning that it may be possible that the creator simply allows only one server side include - the first one it detects. I will do the same type of test but with input <!--#exec cmd="ls" --> <!--#exec cmd="ls" --> to see if this hypothesis is correct. And it was! Whilst this command was allowed when it was only a single server side include, the second one blocks it from creating a document. This means that my current approach to solving this challenge will not work. I must find a single command that would solve this challenge.
I will do a test on the following to see if I am allowed to daisy chain commands: <!--#exec cmd="ls;ls" -->. The result is also blocked, meaning no daisy chaining allowed. Perhaps I am overcomplicating this challenge. The first thing I should have tested would be <!--#exec cmd="ls ../../9" -->, and so this is my next test. This works! I can now see the name of the password file for this challenge. DIrectly accessing this file through the browser, copy-pasting the password to the password form has brought me to the next challenge.