PROBLEM: Sam remains confident that an obscured password file is still the best idea, but he screwed up with the calendar program. Sam has saved the unencrypted password file in /var/www/

However, Sam’s young daughter Stephanie has just learned to program in PHP. She’s talented for her age, but she knows nothing about security. She recently learned about saving files, and she wrote an script to demonstrate her ability.

SOLUTION: Let’s take a look at Stepine’s name script. It appears that her script creates a filename in some directory and when you open this file it shows your name. Once you see this you should think about using SSI. To learn more about SSI start here.

With SSI you can place directives in a HTML page to be evaluated on the server. Which directive do we use, exec. exec is used to execute any UNIX command on the server. If you remember from the last level we used ls to get the directory listings. Well let’s try that.

You might notice that you have a bunch of files and none of them will have your password in it. Why is that? Well if you look at the URL you will notice the directory you are searching is /tmp/ and this directory houses all the temporary files created by Stephine’s script. Since you don’t want that directory and you want the parent directory the code will look like this:

This will allow us to see the pages in the parent directory . Then look at each page and find the password.