HackThisSite - Basic Level 7 - Command Injection
In this challenge, Sam stored the unencrypted password in a file in this very directory:
1
https://www.hackthissite.org/missions/basic/7/
And in other unrelated news, Sam has also created a script that displays the output of the UNIX cal command. So, when a user inputs a year:
Sam’s backend script executes the cal command, and the following result is produced:
My guess is that the highlighted Perl (.pl) script is the one executing the cal command. If the form input text receiving the year isn’t properly sanitized and validated, it could introduce some sort of injection attack. Let’s test this hypothesis out by entering the following command directly in the input text:
And see the result:
Yep, a classical command injection scenario. You can inspect the contents of the files exposed in the output, however the one containing Sam’s unencrypted password is k1kh31b1n55h.php:
1
https://www.hackthissite.org/missions/basic/7/k1kh31b1n55h.php
The result is:
So, Sam’s password is revealed once again: cc54ac24
Security Recommendations
Any input received from users must be strictly sanitized and validated to ensure it contains only expected values. On top of this, developers should avoid invoking shell commands whenever possible, and instead use native language libraries or safer APIs, which greatly reduce the risk of injection attacks.
Additionally, applications should maintain a clear separation between application logic and the operating system. Backend scripts should run with the least privileges required, ensuring that even if an injection occurs, the attacker cannot read sensitive files or traverse directories freely in the system.