Hack This Site: Basic Web Challenges – Level 7

Hack This Site: Basic Web Challenges – Level 7

Today we’re looking at Hack This Site Basic Web Challenge 7. This challenge requires performing a command injection to complete it. If you haven’t seen my previous posts in this series then you can do so here: Part 1Part 2Part 3Part 4, Part 5, and Part 6. Command injection is a type of attack that allows the malicious threat actor to execute arbitrary commands on the host system.

Hack This Site Basic Web 7 Banner
Hack This Site Basic Web 7

Let’s begin, after navigating to Basic 7 you will be greeted with the following text.

This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory. In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script. Enter the year you wish to view and hit ‘view’.”

Security Sam – HackThisSite.org

What we can infer from this, is that the script is running the UNIX cal command directly on the host system. Once the user inputs a value, that value is likely being appended to the script as a variable.

Web Application Calendar System
Web Application Calendar System

Testing Web Application Functionality

While we can’t confirm the exact syntax of the script, we can test the functionality to see what it’s doing. I submitted the value 1 to the submission box to see how the script behaves. After clicking the view button, we are presented with a page showing all the months for year 1. From this, I can assume that the Perl script (identified with the .pl extension in the URL) is running the command cal -y $year. The $year value is the variable that is taking the user input from the web application, and running it on the host operating system.

Hack This Site Basic 7 Calendar
Calendar Results

Exploiting Web Application Functionality

It is essential, that all user input submitted to a web application is treated as untrusted. What this means, is that the web application should check and sanitize the user input before executing it. Otherwise, this could have a detrimental impact on the server. For example, if I was to escape the cal command using a semi-colon and inject the following characters “:(){ :|:& };:” the web-server is going to have a bad time (it’s a fork bomb). However, you should never do that, not even to test. Instead, we’re going to use the “ls” command which will list out the current directory.

Basic Web 7 Unix Calendar Command Injection
Calendar Command Injection

Stealing the Password

The screenshot below shows the result of escaping the cal command with a semi-colon and running the “ls” command. As you can see, it has listed a number of files including index.php, level7.php, cal.pl, and k1kh31b1n55h.php. We already know what the other files do but what is the k1kh31b1n55h.php file for?

Web Calendar Command Injection Results
Calendar Command Injection Results

If you copy the filename and append it to the URL in your browser, you will be taken to a page containing a string. You guessed it, the string is the password required to complete this challenge.

Web Command Injection Password Retrieved
Password Retrieved
Congratulations you have completed basic 7