Hello world, welcome to haxez where today we’re looking at Hack This Site Basic Web Challenge 7. This challenge requires performing command injection to complete it. If you haven’t see my previous posts in this series then you can do so here: Part 1, Part 2, Part 3, Part 4, Part 5, and Part 6. Command injection is a type of attack that allows the malicious threat actor to execute arbitrary commands on the host system.
Let’s begin, after navigating to Basic 7 you will be greeted with the following text.
“This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory. In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script. Enter the year you wish to view and hit ‘view’.”
Security Sam — HackThisSite.org
What we can infer from this, is that the script is running the UNIX cal command directly on the host system. Once the user inputs a value, that value is likely being appended to the script as a variable.
Testing Basic 7 Web Application Functionality
While we can’t confirm the exact syntax of the script, we can test the functionality to see what it’s doing. I submitted the value 1 to the submission box to see how the script behaves. After clicking the view button, we are presented with page showing all the months for the year 1. From this, I can assume that the Perl script (identified with the .pl extension in the URL) is running the command cal -y $year. The $year value is the variable that is taking the user input from the web application, and running it on the host operating system.
Exploiting Web Application Functionality
It is essential, that all user input submitted to a web application is treated as untrusted. What this means, is that the web application should check and sanitise the user input before executing it. Otherwise, this could have a detrimental impact on the server. For example, if I was to escape the cal command using a semi-colon and inject the following characters “:(){ :|:& };:” the web-server is going to have a bad time (it’s a fork bomb). However, you should never do that, not even to test. Instead we’re going to use the “ls” command which will list out the current directory.
Stealing the Password
The screenshot below shows the result of escaping the cal command with a semi-colon and running the “ls” command. As you can see, it has listed a number of files including index.php, level7.php, cal.pl and k1kh31b1n55h.php. We already know what the other files do but what is the k1kh31b1n55h.php file for?
If you copy the filename and append it to the URL in your browser, you will be taken to a page containing a string. You guessed it, the string is the password required to complete this challenge.