HTS Basic Web 7: cal call unrelated?
Level 7 is a very easy level, if you are a Linux user. We don’t even have to check the source. The HackThisSite.org crew is kind enough to tell us where the password is: in an obscurely named file, saved in the current working directory. Now, we only need to come up with a way to get a directory listing. This is when a very useful and frequently used UNIX command should come to mind — ls. From the ls man page:
ls - list directory contents
Sounds good. If only we could perform arbitrary operations remotely. Take a look at that unrelated script that calls cal. Try it out by inputing a random year and submitting. It looks just like the normal output of cal. Remember that, when searching for security vulnerabilities, you should always think like the developer. How could cal.pl look like? This is a simplification:
print `cal $year`;
Where $year is the input. Injections are the bane of all web applications. Here, a Perl injection would come handy. What happens if you do not enter a year? If my guess about what the code looks like was correct, it will be executed as a normal command. Let’s take year 1337 just for the sake of it.
1337 && ls
The command executed now will be cal 1337 && ls /. This will first give you a calendar of the year 1337 AD, after which it will give you what you want: the directory listing. Just look through the directory listing after an obscurely named file, and then read the file in your web browser. Mission accomplished.
If you didn’t like Network Security Sam, you could’ve made things much, much more nasty. 1337 && rm -rf, for instance, would delete everything in the filesystem.
Använder FireStats
[...] Network Security Sam never seems to learn from his mistakes. In mission 8 of the basic web missions, Sam has done the exact same mistake as in mission 7: he practices security through obscurity. This is never a good idea. This time, he saved an unencrypted password file somewhere in /var/www/hackthissite.org/html/missions/basic/8/. Last time, we used Sam’s insecure cal script. This time, his daughter Stephanie has put up a handy script for us. [...]
Pingback by Timblog » HTS Basic Web 8: Evil SSI — July 30, 2006 @ 5:31 pm
Whenever i put the odd flie name in the URL bar, it doesnt work. Firefow just gives me an error message.
Comment by Kyle — January 1, 2007 @ 1:55 am
Kyle: Remember that it is local, i.e. you should only change a part of the URL but retain the directory structure.
Comment by Tim — January 1, 2007 @ 2:58 pm
i really do not get it, can someone please tell me the password
Comment by Joe — January 2, 2007 @ 9:16 pm
hi, i’m having promlem in level-7. i dont really understand, what this page is asking me to do> plz simplify it.
Comment by vik — January 17, 2007 @ 12:55 pm
what u need to do is to enter “1337 && ls” into the year box and hit view. u’ll see the calander and at the end of the page there will be some stuff written.. ur looking for a strange php file.when u find it replace a part of URL with it and hit enter. theres ur password
Comment by Bill — February 22, 2007 @ 1:53 pm
Yo i dont no wat 2 interchange in the url bar with wat i get at the bottom of the calander
Comment by Da'Von — March 3, 2007 @ 5:52 pm
Nevermind i got it
Comment by Da'Von — March 3, 2007 @ 6:55 pm
hey what do i change the php file with?
Comment by evan — March 14, 2007 @ 2:39 pm
lol nvm i found it
Comment by evan — March 14, 2007 @ 2:49 pm
ok.
Can somebody tell me where can i get a good unix emulator and how can i surf with it?
Comment by negroi — April 8, 2007 @ 3:58 am
negroi: You should read about cygwin and lynx.
Comment by Tim — April 9, 2007 @ 10:11 pm
ty
Comment by jerrod1607 — April 27, 2007 @ 8:23 pm
how saw the thing at the end but i don t know what to put in my url because they is 6 line
Comment by jean — May 9, 2007 @ 1:19 am
Jean: Which file names are printed when you execute the command? The “obscure” one should be put in the URL bar.
Comment by Tim — May 9, 2007 @ 6:33 am
wow, secruity sam is an idot. i looked this this guide beacuse i didnt understad unix, but now its clear. that was easy
Comment by Mista_Haze — May 14, 2007 @ 3:40 am
what to do if i don’t have UNIX?
Comment by poki — June 5, 2007 @ 1:19 pm
i can’t pass mission basic 7 i need help please help me
Comment by poki — June 7, 2007 @ 12:36 pm
why do i need to put && before ls to get the list directory….
Comment by none — June 9, 2007 @ 2:46 pm
none: “&&” is a conjunction put between two commands which is the equivalent of “and”. Thus, both “cal 1337″ and “ls” are executed.
Comment by Tim — June 13, 2007 @ 12:09 pm
thnx bro.. i get it know
Comment by none — June 14, 2007 @ 11:53 pm
thank you….
Comment by none — June 14, 2007 @ 11:54 pm
This mission was unfair. If it weren’t for the missing ‘&&’ I could have done it easily. >:(
Comment by guy — July 18, 2007 @ 6:47 pm
guy, that’s like saying you failed English unfairly because you skipped every “and”..
Comment by Tim — July 18, 2007 @ 10:51 pm
I don’t get this…
Comment by Anonymous — August 3, 2007 @ 8:11 pm
nvm I get it now ^^
Comment by Anonymous — August 3, 2007 @ 8:13 pm
hehehehe very cool, kinda tricky , but is solved , thanks for help
Comment by hm... — August 8, 2007 @ 8:12 pm
i just wanna say THANK YOU.
because you’ve been helping me since level 5.
i hope, sooner or later, my skill will surpasses you.
and i promise you that.
once again THANK YOU VERY MUCH !!!
sincerely,
raphael parabellum
Comment by raphael parabellum — August 20, 2007 @ 8:09 pm
where did you get this from “1337 && ls”
Comment by ShakeTheBaby — September 7, 2007 @ 3:19 am
ShakeTheBaby: “1337″ could be any integer. It is the year for the
calcommand. “&&” means that another command will be executed, and that command is “ls”, which lists the content of the directory.Comment by Tim — September 15, 2007 @ 8:04 am
hello all people ☺
if anyone needs help with any of the missions past those stated on this site can just e-mail me
Comment by seklyma — September 17, 2007 @ 10:45 pm
who is this sam and why is he such an imbecile? hahahaha!
Comment by denni — October 29, 2007 @ 9:10 pm
heeelp! i write 1337 && ls in the space and then clic view, but i get an error box that tells me that i have to write a number between 1-255 and that there was an error.. what do i do?!
Comment by melissa — October 31, 2007 @ 11:28 pm
i dont understand, i write 1337 && Is and i get into the calendar.
but it doesnt say anything with a php file or anything special.
PLEASE HELP ME!!!
Comment by anpeern — November 5, 2007 @ 6:15 pm
help
Comment by poki — November 5, 2007 @ 8:55 pm
iddddddddd
Comment by poki — November 5, 2007 @ 8:58 pm
2
Comment by poki — November 5, 2007 @ 8:59 pm
you all are stupid… it’s not that hard… just read the tut.
Comment by lol — November 10, 2007 @ 8:26 pm
Yeah, but what if you don’t have Linux? Are you out of luck?
Comment by Blake — November 11, 2007 @ 11:04 pm
you don’t need to have linux to finish this mission all you gotta have is a head to think
Comment by malcolm — November 25, 2007 @ 1:13 am
I still dont understand the command, is that unix or linux?
because i want to look into it so i can fully understand it
Comment by Finn — November 29, 2007 @ 6:17 pm
http://www.hackthissite.org/missions/basic/7/k1kh31b1n55h.php
-_-`
a06b4fc5
Comment by joe — January 5, 2008 @ 1:40 am
guys i pretty much get the whole thing xept for one
eg: 1337 && ls what is the “&&” is it some kinda ascii code unix code
Comment by cast — February 4, 2008 @ 8:45 pm
if you’ve had any experience in programming….. && is logical AND. simply put, it will input both 1337 and ls for execution by script.
Comment by andy — March 30, 2008 @ 8:29 pm
i’m a linux user but i kept trying to put semicolons between 1337 and ls, and finally ragequit to find this tutorial. Why didn’t that work the way it normally does? I had the idea right, it just, you know, broke.
I’ve never used && before, since when was that a commonly used conjunction.
It seems the more i find out the less i know, if you could explain this to me that’d be great, its a bit of a blow to have to use a tutorial on something i thought i knew :(
Comment by Shadyjames — April 4, 2008 @ 8:47 am
God, I need to get some books and learn a few languages, like Unix, HTML and any others anyone can recommend. So Tim, I basically get this, but where do I enter this stuff. Thanks, you’ve got a great site that is really helpful!
Comment by binzing — April 7, 2008 @ 3:38 am
OMG… that isnt bad at all.
Comment by jhnddy — April 12, 2008 @ 7:32 pm
cast: && means run also. For example cd directoryhere && ls will change directory and show it’s listings
Comment by r27smith200245 — May 3, 2008 @ 10:50 pm
Um, I understand all of this, and I’ve tried it before, but whenever I do it, it opens a cal.pl file in notepad and then it just gives me the calendar for the whole year, that’s it. I’ve been doing this right, but it never gives me the list of files in the directory…
does anybody know why??
Comment by Anonymous — August 3, 2008 @ 9:49 pm
Um, I understand all of this, and I’ve tried it before, but whenever I do it, it opens a cal.pl file in notepad and then it just gives me the calendar for the whole year, that’s it. I’ve been doing this right, but it never gives me the list of files in the directory…
does anybody know why??
Comment by Laura — August 3, 2008 @ 9:49 pm