0

I am working on this problem:

https://www.hackthissite.org/missions/realistic/3/

The site above has been hacked and it is our job to return it back to its original state. I started by looking at the source code. The hacker left a comment reading:

"Note to the webmasterThis website has been hacked, but not totally destroyed. The old website is still up. I simply copied the old index.html file to oldindex.html and remade this one. Sorry about the inconvenience."

Therefore I went to https://www.hackthissite.org/missions/realistic/3/oldindex.html

I then clicked on submit poetry. In the name field I put ../index.html and in the poem field I put the source code of the page:

www(dot)hackthissite.org(dot)missions/realistic/3/oldindex(dot)html.

I got the right answer; however, I don't quite get how this works.

  1. First of all how do you know when something is susceptible to directory traversal. I did it because I looked at the forums, but how would I know that directory traversal is an option?

  2. If you click on read poem --> 'poem name' you get a url like this:

    www(dot)hackthissite(dot)org/missions/realistic/3/readpoem(dot)php?name=The%20Idiot

    In that case wouldn't the final url using ../index.html be:

    www(dot)hackthissite(dot)org/missions/realistic/3/?name=index(dot)html

    not www(dot)hackthissite(dot)org/missions/realistic/3/index(dot)html

Sory for the (dot). I need more reputation to post more links.

AstroCB
  • 11,800
  • 20
  • 54
  • 68
user3295361
  • 1
  • 2

1 Answers1

0

During a directory traversal attack, the attacker will submit a filename contaning characters that will allow them to access files outside of the intended directory. For example a single dot (.) refferes to the current directory and two dots (..) the parent directory. During an attack the aim will be to access and read restricted files using PHP's elevated privileges.

This is an example of directory transversal vulnerable php code:

$page = $_GET['page'];
$filename = "/pages/$page";
$file_handler = fopen($filename, "r");  
$contents = fread($file_handler, filesize($file)); 
fclose($file_handler); 
echo $contents;

In your challenge the file: "readpoem.php" is vulnerable in his $_GET['name'] variable and its happening something similar.

In a blackbox pentesting you can detect it by following errors produced when fuzzing a value and analyzing your request/respond traffic.

en.wikipedia.org/wiki/Fuzz_testing

One type of solution to prevent this is checking for "forbidden" occurrences as someone put an example here: Preventing Directory Traversal in PHP but allowing paths

Community
  • 1
  • 1
Ed Capetti
  • 339
  • 2
  • 10
  • I still don't quite get it though. How exactly do you know that "readpoem.php" has code like that. Do you just use trial and error? Also that still does not explain the whole ?name = _ thing. Sorry for all the questions. – user3295361 Feb 11 '14 at 02:32
  • Also once I submit a poem, where exactly is it stored? Is it stored in the read poems page, but not listed or is it stored somewhere else? To me it seems like it is stored elsewhere, because the read poems page seems to use a get method thus the ?page = _, if thats the case it would explain why there is no ?page = _ when it is saved to index. Also I read the article on fuzz testing, but I dont exactly get it, because I dont understand PHP that well. Thanks again! – user3295361 Feb 11 '14 at 02:49
  • "I then clicked on submit poetry. In the name field I put ../index.html and in the poem field I put the source code of the page: www(dot)hackthissite.org(dot)missions/realistic/3/oldindex(dot)html. I got the right answer." I believe that in this step you are declaring the file thats gonna "trasverse". And then put the contents with the poem input. – Ed Capetti Feb 11 '14 at 02:54
  • Ok so theoretically after submitting the poem, if i just put a regular name like 'Hello' it would save the file in: the same directory/hello.(file type) – user3295361 Feb 11 '14 at 03:11
  • Correct. But probably in the challenges site they validate that in order to just follow the challenge. – Ed Capetti Feb 11 '14 at 03:12