Welcome to HaXez, today we’re looking at Hack This Site Basic Web Challenge Level 9. This challenge is similar to level 8 and you have to use the level 8 application in order to complete it. It requires thinking outside the box and using level 8 as the platform to launch the attack. If you haven’t see my previous posts in this series then you can do so here: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, and Part 8
Testing The Web Application
After logging in and navigating to level 9 you will be greeted with the following page. It looks like Sam has been up to his old tricks. Instead of implementing a strong password system, Sam has decided to continue obscuring the file. The only form on this box is the password form which isn’t injectable.
Exploiting The Web Application
As there is no form to inject on level 9, we should head back to level 8 and inject that form. We use the same injection that we did last time but we modify it to list out the contents of the 9 directory. The script below performs the same Server Side Include Injection but this time it traverses up two directories in to the 9 directory.
<!--#exec cmd="ls ../../9"-->
Retrieving The Password
As with level 8, executing this payload will tell the php script to execute the command and write the output to the shtml file. When clicking view on the following page you will see the listed files including the PHP file containing the password.
Grab the file name and append it to the level 9 url. This should then show you the password which you can copy and paste it in to the level 9 password submission system to complete the challenge.