PROBLEM: This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.

In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script:

SOLUTION: Level 7 is a very easy level, if you are a Linux user. We don’t even have to check the source. The crew is kind enough to tell us where the password is: in an obscurely named file, saved in the current working directory. Now, we only need to come up with a way to get a directory listing. This is when a very useful and frequently used UNIX command should come to mind — ls. From the ls man page:

ls – list directory contents

Sounds good. If only we could perform arbitrary operations remotely. Take a look at that unrelated script that calls cal. Try it out by inputing a random year and submitting. It looks just like the normal output of cal. Remember that, when searching for security vulnerabilities, you should always think like the developer. How could look like? This is a simplification:

Where $year is the input. Injections are the bane of all web applications. Here, a Perl injection would come handy. What happens if you do not enter a year? If my guess about what the code looks like was correct, it will be executed as a normal command. Let’s take year 2005 just for the sake of it.

The command executed now will be cal 2005 && ls /. This will first give you a calendar of the year 2005 AD, after which it will give you what you want: the directory listing. Just look through the directory listing after an obscurely named file, and then read the file in your web browser. Mission accomplished.

If you didn’t like Network Security Sam, you could’ve made things much, much more nasty.

for instance, would delete everything in the filesystem.