Basic 8

From Kyle's Wiki
Jump to: navigation, search

When a name is entered, the system creates a file in /basic/8/tmp/randomjunk.shtml with some irrelevant information in it.
If you google for ".shtml" you'll see that that is an extension for Server Side Include executables. Googleing for "ssi exec" you'll find that <pre</pre> will return the output from running "command". We know that this is a linux/unix server from the directory style, starting with "/" instead of "C:\", so we'll use the "ls" command to list the contents of the directory. Put this in as your name:

<!--#exec cmd="ls" -->

and then go to the created file. You should see a list of randomly named files in the name area. Using the combination of this and directory transversals (google it - "." is the current directory, ".." is one directory up) we can go from webroot/missions/basic/8/tmp/ to webroot/missions/basic/8/ without having to specify the full path.

<!--#exec cmd="ls .." -->

will show you the obscured file. Go to /missions/basic/8/TheFile.php to get your password.

Personal tools