Hack This Site Guides

HTS Realistic 5: Find the Hidden Hash

Damn Telemarketers!: Telemarketers are invading peoples privacy and peace and quiet. Get the password for the administrative section of the site to delete their database and return the privacy of their victims!

Realistic mission 5 of Hack This Site is quite fun, since it involves several vulnerabilities. You are supposed to clear a spammer’s database.

From: spiffomatic64

Message: Yo! This is Spiffomatic64 from Hackthissite.org! I’m a bit of a hacker myself as you can see, but I recently came upon a problem I couldn’t resolve…..
Lately I’ve been getting calls day and night from the telemarketing place. I’ve gone to their website and hacked it once deleting all of their phone numbers so they wouldn’t call me anymore. That was a temporary fix but they put their database back up, this time with an encrypted password. When I hacked them I noticed everything they used was 10 years out of date and the new password seems to be a ‘message digest’. I have done some research and I think it could be something like a co called hash value. I think you could somehow reverse engineer it or brute force it. I also think it would be a good idea to look around the server for anything that may help you.

Don’t just skim that through; read everything that Spiffomatic has to say. It’s quite helpful. Now, for their site. As you’ve probably seen, it consists of four visible sections: Home, News, Database and Contact.

The Home page contains nothing but an image and few email addresses, and the Contact page is equally useless. Don’t forget to check the source anyway, though, just to be sure. The Database page has nothing but a password input field. Inputting anything just gives you a “invalid password” message. Since entering “\”, “‘” and “”" characters still gives you the same message, we can assume that this field is not vulnerable to SQL injections.

We can’t find any vulnerability from the News page, either. However, the news items contain valuable information. We find that the administrator’s girlfriend’s name is Haley, which invites us to try that name as a password. Unfortunately, it didn’t work. We are also told something about “zapp”, which I have no idea of what it is. Next, we are told that they had some problems with Google:

Google was grabbing links it shouldn’t be so I have taken extra precautions.

Now, how do you take extra precautions when search engines are grabbing links that they shouldn’t? Well, you edit robots.txt to disallow it. Let’s take a look at the robots.txt of Compu-Global-Hyper-Mega-Net: http://www.hackthissite.org/missions/realistic/5/robots.txt.

Disallow: /lib/
Disallow: /secret/

Nice to know. Check those folders out, and you will find that directory listing is not disabled. Begin with secret/, since it seems most interesting. There are two files: admin.php and admin.bak.php. The prior is the script that validates passwords, and the latter seems to be a backup of the prior. However, when we access it, we get:

error matching hash 3184342944a094dd5dbe6fccaeb8dc96

Note that the specific hash might be different for you. As Spiffomatic64 said, this is a message digest (MD). Probably, it’s the message digest of the password that you are going to enter. But how are we supposed to know the algorithm of the hashing function? Remember the other directory disallowed from robots.txt? Let’s check lib/.

There is only one file here–”hash”. The hashing algorithm, perhaps? Download the file and open it in your favourite text-editor. Uh-oh. A lot of bogus characters, followed by:

Error: MDupdate MD already done.
Error: MDupdate called with illegal count value %d.
3.4.4 [FreeBSD] 20050518
MIC

In most cases when you encounter such a file, using a hex editor lets you read parts of it. There are many, for example XVI₃₂ for Windows and hexedit for Linux. Now, look for something that you recognize. You will probably find this part in the file:

do_global_ctors_aux
/usr/src/lib/csu/i386-elf/crtn.S
md4.c
MDblock
md4driver.c

Which reveals that the encryption algorithm used is MD4. Use any MD4 collision finder to crack the hash. I’ve written a simple MD4 collision finder in perl, which you can use. If you don’t happen to like Perl, there is a lot of free tools available out there, including online reverse-lookup databases.

Going back to the “Database” page and entering the password completes the challenge.

HTS Realistic 4: UNION ALL the Products

Fischer’s Animal Products: A company slaughtering animals and turning their skin into overpriced products sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list.

So I finally got around to write a walkthrough/guide for Hack This Site realistic mission 4. Your objective is to get the email addresses of the subscribers to the news letter of Fischer’s Animal Products.

From: SaveTheWhales

Message: Hello, I was referred to you by a friend who says you know how to hack into computers and web sites - well I was wondering if you could help me out here. There’s this local store who is killing hundreds of animals a day exclusively for the purpose of selling jackets and purses etc out of their skin! I have been to their website and they have an email list for their customers. I was wondering if you could somehow hack in and send me every email address on that list? I want to send them a message letting them know of the murder they are wearing. Just reply to this message with a list of the email addresses. Please? Their website is at http://www.hackthissite.org/missions/realistic/4/. Thanks so much!!

Start by investigating every part of Fischer’s the site. There are essentially two parts which might be vulnerable. The most visible one is the email form. A clearly visible input-field, where you just add your email address and are given a “Email added successfully” message. As you’ve seen through other missions containing SQL injections, the first step is attempting to get out of the string. Try registering an email address containing apostrophes, both single and double.

Error inserting into table “email”! Email not valid! Please contact an administrator of Fischer’s.

Unsuccessful. However, we got an important piece of information: the table name is “email”.

Now for the other part of the website; the product lists. There are two product lists, “fur coats” and “alligator accessories” (how this would have anything with whales to do is beyond me). If you’ve been as observant as you should be, you’ve noticed that both are the same file–products.php–with the category ID as an argument.

What do we want to accomplish? If we wanted to select something else from that table, we could attempt to change the WHERE part of the SELECT statement by changing the category argument to something like “1 OR categpory = 2″ (which happens to give you both categories of products on one page). However, we want to add information from another table: the “email” table. This is were the MySQL command UNION comes in very handy. Using UNION, we can merge the results of two SELECT statements into one. For example, we could:

SELECT * FROM table1 UNION ALL SELECT * FROM table2;

The result would be getting all rows from table1 and all rows from table2. Note that this assumes that the number of columns in table1 and table2 are equal. If they are not, the command will not work. UNION ALL is used instead of simply UNION in order to preserve duplicate rows. It is good practice to use UNION ALL in order to avoid unexpected errors. Let’s assume that the initial query could be something like this:

SELECT * FROM products WHERE category = 1;

We also want the rows from the email table. Therefore, we’ll try looking for another category: 1 UNION ALL SELECT * FROM email, resulting in the following final query:

SELECT * FROM products WHERE category = 1 UNION ALL SELECT * FROM email;

Which is exactly what we want. However, this results in nothing of value. Remember the assumption made earlier when we UNIONed table1 and table2? They must be of the same number of columns. We can assume that “email” has fewer columns than “products” does, since the products table should be more advanced. Therefore, we add columns to the email table:

SELECT * FROM products WHERE category = 1 UNION ALL SELECT *, NULL FROM email;

NULL means nothing–it is just an empty column. This doesn’t work either, so we’ll have to keep adding NULLs until we get some results. It will finally work at three NULLs:

SELECT * FROM products WHERE category = 1 UNION ALL SELECT *, NULL, NULL, NULL FROM email;

Below the category 1 products, you can see ten broken images. Viewing the source-code, you will find that the sources of these are email addresses! Rearranging the column order will give you a more eligible format.

SELECT * FROM products WHERE category = 1 UNION ALL SELECT NULL, *, NULL, NULL FROM email;

Just copy the list and email it to SaveTheWhales!

HTS Realistic 3: Re-Overwrite the Index

Peace Poetry: HACKED: A little girl made a website to put poetry related to peace and understanding. American fascists have hacked this website replacing it with Hitler-esque propaganda. Can you repair the website?

In Hack This Site, Realistic mission 3, you have to recover a hacked poetry-site. Only basic knowledge is required, although it could be difficult to come up with the ideas.

From: PeacePoetry

Message: I run this website where people can read and submit peace-related poetry. I am doing this out of good will towards others, and I don’t see why I would be making enemies out of this, but some real asshole hacked my website posting a bunch of ignorant aggressive propaganda on the front page. And I made that website a while ago, and I no longer have access to it. Do you think you can hack in and change it back? Please? Oh, and bonus points if you message me the name of the bastard who did this!
My website can be found here.

You should have no problems understanding that the landing page is hacked. The first thing you do is of course to check the source code. This part is a bit tricky and unrealistic: look through the source very carefully. You should notice that it ends in a lot of linebreaks, and an HTML-comment on the very last line. It reads:

A nice hacker indeed. Now go to oldindex.html in that directory, and you will see the site. Browse it a bit until you are familiar with how it works.

Now, we have to make some assumptions about the system. From the wording “Poems will be stored online immediately”, we can assume that the poems are saved in separate files. Thus, the filename is probably the title of the file. The file that we want to overwrite is index.html. Try to submit a poem with that title — unfortunately, it won’t work.

The reason is that the file is stored in another directory. (If it was stored in the current directory, it would get quite messy after a while, and the webmaster is a girl.) This means that we want to save the file in the directory that is below the one that it would originally be stored in.

How to save it in another directory? Well, you should know about directory transversal from Basic Web 9 — “..” means “up one directory”. Therefore, try to submit a poem called ../index.html.

Sorry, you have the right idea how to beat the level, but the text you entered did not match the contents of the old website. You have to put the old website up, meaning putting up the old index.html

Just copy the source-code of oldindex.html and let that be the text of the poem. Mission accomplished.

HTS Realistic 2: MySQL-Inject the Nazi Party

Chicago American Nazi Party: Racist pigs are organizing an ‘anti-immigrant’ rally in Chicago. Help anti-racist activists take over their website!

In Hack This Site, Realistic mission 2, you must sieze control of the evil nazist website. Knowledge of SQL is required.

From: DestroyFascism

Message: I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful.

When you first reach the target site, you will se a simple layout with a few image links on the bottom. Don’t follow them — they lead to a real nazi site, which is illegal to try to hack. The first step is always to check the source code. You will find the following interesting part:

<a href="update.php">
  <font color="#000000">
    update
  </font>
</a>

It is a hyperlink, hidden with the same colour as the background. This is a very simplistic way to hide the administration page, since a search engine would index it. Follow the link to http://www.hackthissite.org/missions/realistic/2/update.php, and you will find an authentication form.

As always, start by viewing the source of the form. Unfortunately, this time we cannot find anything interesting. That is when we realize that the attack must be done on another level.

We can be pretty sure that there is a PHP script processing the form data, since the form’s action-attribute is update2.php. Using PHP/MySQL is a very common way of managing a list of users. Now, imagine how the SQL query sent to the database by the PHP script would look like:

SELECT * FROM users WHERE username = '$USERNAME' and password = '$PASSWORD'

The SELECT clause determines which part of the row is selected (fetched) from the database, and the asterisk (*) is a wildcard, signifying that every column is fetched. The FROM clause determines the table to fetch data from. It is the WHERE clause that is interesting — it contains the conditions for the row that will be fetched. In this case, the username should be what we entered, and so shall the password. For instance, if we entered “SomeUser” and “SomePass123″, the query would be:

SELECT * FROM users WHERE username = 'SomeUser' and password = 'SomePass123'

This is where the injection part in MySQL-injection comes into play. Ponder that our username contained a single quote (’). It would break the string, and render the query invalid. With this information, it is possible to hi-jack the query completely! Just come up with a username and a password that will bypass the normal conditions in the WHERE-clause. I used the following as both the username and the password:

' OR 'a'='a

The processed query willl be like this:

SELECT * FROM users WHERE username = '‘ OR ‘a’='a‘ and password = ‘‘ OR ‘a’='a‘

Thus, it doesn’t matter if we use the incorrect username/password combination as long as ‘a’ is equal to ‘a’, which it usually is.

Unfortunately, few sites protect themselves against this kind of SQL-injection. I once managed to get myself a report to the police when I used it on a small social networking site.

HTS Realistic 1: Uncle Arnold’s Local Band Review

Your friend is being cheated out of hundreds of dollars. Help him make things even again!

In Realistic Mission 1 of Hack This Site, you need to help your poor friend out a bit in Uncle Arnold’s Local Band Review.

From: HeavyMetalRyan

Message: Hey man, I need a big favor from you. Remember that website I showed you once before? Uncle Arnold’s Band Review Page? Well, a long time ago I made a $500 bet with a friend that my band would be at the top of the list by the end of the year. Well, as you already know, two of my band members have died in a horrendous car accident… but this asshole still insists that the bet is on!
I know you’re good with computers and stuff, so I was wondering, is there any way for you to hack this website and make my band on the top of the list? My band is Raging Inferno. Thanks a lot, man!

Follow the link to Arnold’s site. Apart from the ugly design expected from a small personal bussiness, the first thing that you should notice is Imposing Republic’s rating of 23 — on a 1-5 scale! This hints that you should be able to give ratings which are higher than five in some way. Take a look at the source code. More specifically, the several identical forms for voting.

<form action="vote.php">
<input type="hidden" name="PHPSESSID" value="abcaeadfc31a5c53b2534bf995d0553f" />
<input type="hidden" name="id" value="0">
<select name="vote">
<option value=1>1
...
<option value=5>5
</select>
<input type="submit" value="vote!">
</form>

This is the code for the Raging Inferno’s voting form. As a hacker, you should intuitively think about sending unexpected values to every form that you encounter. In this case, what about a number greater than 5? Try it:

http://www.hackthissite.org/missions/realistic/1/vote.php?id=0&vote=1337&PHPSESSID=abcaeadfc31a5c53b2534bf995d0553f

Obviously, you should substitute the PHP session ID in the URL with your own session ID, which can be found in the source code. This code votes “1337″ for band #0, which happens to be HeavyMetalRyan’s Raging Inferno.

Mission accomplished.

HTS Basic Web 10: Cookies!

Basic Web mission 10 is, just like the previous nine missions, easy if you know the technique. I will assume that you use the Firefox extension Add N Edit Cookies, which is a very useful tool for viewing and editing cookies.

Network Security Sam has decided to hardcode the password into the script. He also started to use cookies to detect if the user is authorized to advance to the next level. When you enter the correct password, it sets you to authorized, and if you enter an incorrect password, it sets you to unauthorize

Here, we are even given exactly how Sam’s script works. Enter some random password, and you will see that you are not authorized. Now, open the cookie editor and check what cookies you’ve got from hackthissite.org.

Edit the cookie named “level11_authorized” and change the content from “no” to “yes”. After this, you can access the page /missions/basic/11. Congratulations, you just completed the basic web missions.leaves 32 ringtonestelephone nbx ringtones 3com67 ringtone gdg 7130 ringtonesringtones 8700g usb8th day ringtoneringtones 90 millionringtone proof adulf Mapclassical motorola ringtonessong notes composer motorola ringtoneringtone bubble v180 motorolaringtone bluetooth mp3ringtones phone mp3 billed to celltreo mp3 for ringtonesringtones mst3kringtone jeannette my Map

HTS Basic Web 9: Directory Transversal

Basic Web mission 9 is so easy, it is barely worth a post of its own. The only thing that might be difficult is realizing that you should find a vulnerability in the eigth mission — however, that problem exists only if you attempt to solve mission 9 without looking or without reading the instructions.

This challenge is essentially identical to mission 8, except that the password file is in another directory. There isn’t much to learn from this, except that vulnerabilities are not always were you expect them to be.In the last mission, you entered the following in the name field:

Which, with .., goes down one step from /missions/basic/8/tmp/ to /missions/basic/8/. The directory we want to go to is /missions/basic/9/, which means that we will have to go down another step and up to the directory 9/ from there. This practice is called directory transversal.

Your file will be saved, and you can read it in order to find the filename out. Load the file, and you’ve got your password. Remember that the file is in /9, not /8.payday 20 loan 100 no fax11 loan 16 payday american moneyloan directory 20 14 paydayloans 2500 quick cashloan quick payday 37 26credit bad loan 2b personaluk loan advance 31 payday 45sites payday 53 37 loan Map

HTS Basic Web 8: Evil SSI

Network Security Sam never seems to learn from his mistakes. In mission 8 of the basic web missions, Sam has done the exact same mistake as in mission 7: he practices security through obscurity. This is never a good idea. This time, he saved an unencrypted password file somewhere in /var/www/hackthissite.org/html/missions/basic/8/. Last time, we used Sam’s insecure cal script. This time, his daughter Stephanie has put up a handy script for us.

Try out Stephanie’s name script. You’ll find out that whatever you input into that box is saved to a random filename with some additional text. This is where you should think about SSI. SSI is a technology that allows execution of server-side commands on the processing of files, a bit like PHP. The by far widest usage of SSI is to include header and footer files. The syntax of an SSI include looks like this:

You only need to use one command for this mission, exec. exec is used to execute any UNIX command on the server. Remember from the last mission what the command for listing all the files in a directory was? Try using it. Enter this into the name field:

This is the output I got:

Hi, tshngmww.shtml hipykpqu.shtml ztxdhjxn.shtml avpfeoie.shtml fviqpmaw.shtml kqbybdzc.shtml dzrnmzgx.shtml npcsygfl.shtml whqxxojt.shtml ylomcmvu.shtml uhdppswp.shtml gzntiicx.shtml dzwbqiuu.shtml qvzuieng.shtml smcerykh.shtml qjhnmhmq.shtml znodwztr.shtml!

Your name contains 254 characters.

Looks great, except one thing. It’s the wrong directory. If you look at the URL, it will say something like this:

http://www.hackthissite.org/missions/basic/8/tmp/nxlvdjcp.shtml

We need to ls one directory down. The path to the parent directory is always .., which means that we can list the files of the parent directory (/missions/basic/8/) with the following SSI code:

After you have found the obscure filename in the file list, you can simply access it in your browser and read the password.alladin casino resortairbrush casino gambling artyears episode new casino americanamericanexpresscom merchant gambling servicealiente station casinocarlo de monte francs 100 casinoportal casino 1 onlinemerchant americanexpresscom gambling service Map

HTS Permanent Programming 1: Anagram Solver

The first permanent programming challenge of HackThisSite.org was fun to work with, yet so simple with Perl. If it’s got to do with string, Perl can do it. Here is the script I used. You should of course change the path of $filename to whatever you decided to name the dictionary file.

#!/usr/local/bin/perl
my $filename = "/home/Tim/download/tmp/wordlist.txt";
my %wordlist;
my @curlist;
my $strid;
my $wrd;
my @inlist;
open( LIST,  "< " . $filename) || die "Aborting: could not open $filename\n";
foreach (<LIST>) {
	@curlist = (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
	chop;
	s/\r//;
	$word = $_;
	foreach (split(//)) {
		$curlist[ord]  ;
	}
	$strid = join('', @curlist);
	$wordlist{$strid} = $word;
#	print $word . "\t" . $strid . "\n";
}
close(LIST);
print "word:";
while (<STDIN>) {
	chop;
	@inlist = ();
	foreach (split(/,/)) {
		@curlist = (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
		$wrd = $_;
		foreach (split(//)) {
			$curlist[ord]  ;
		}
		$strid = join('', @curlist);
		if (exists($wordlist{$strid})) {
			print $wordlist{$strid} . "\n";
			push @inlist, $wordlist{$strid};
		} else {
			print "*** " . $wrd . ": not found\n";
			push @inlist, '-';
		}
	}
	print join(',', @inlist);
}

This script accepts a comma-separated list of words from standard input. To change that weird \n\t#-separated list you get when copy-pasting from Firefox, you can use my list conversion script that I wrote for this very mission.

Note that you could replace the wordlist with a good wordlist, and so get a working anagram solver.xxx movies full length free downloadporn movies full downloadgt dragonball moviesdumber dumb script movieerotic home moviesfarang ding dong moviesfemale ejaculation free moviesfemale monologues movie Mapbanks development loans financing ex-im leasefast loans remortgages payoutpay faxless virginia day loans inloans department education federal ofunsubsidized repayment federal stafford direct loansfederal student loans pay grants toloan advance federal home bankdallas home bank federal loan of Map

HTS Basic Web 7: cal call unrelated?

Level 7 is a very easy level, if you are a Linux user. We don’t even have to check the source. The HackThisSite.org crew is kind enough to tell us where the password is: in an obscurely named file, saved in the current working directory. Now, we only need to come up with a way to get a directory listing. This is when a very useful and frequently used UNIX command should come to mind — ls. From the ls man page:

ls - list directory contents

Sounds good. If only we could perform arbitrary operations remotely. Take a look at that unrelated script that calls cal. Try it out by inputing a random year and submitting. It looks just like the normal output of cal. Remember that, when searching for security vulnerabilities, you should always think like the developer. How could cal.pl look like? This is a simplification:

print `cal $year`;

Where $year is the input. Injections are the bane of all web applications. Here, a Perl injection would come handy. What happens if you do not enter a year? If my guess about what the code looks like was correct, it will be executed as a normal command. Let’s take year 1337 just for the sake of it.

1337 && ls

The command executed now will be cal 1337 && ls /. This will first give you a calendar of the year 1337 AD, after which it will give you what you want: the directory listing. Just look through the directory listing after an obscurely named file, and then read the file in your web browser. Mission accomplished.

If you didn’t like Network Security Sam, you could’ve made things much, much more nasty. 1337 && rm -rf, for instance, would delete everything in the filesystem.