PROBLEM:
Network Security Sam is going down with the ship – he’s determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.

In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how…

This level seems a lot trickier then it actually is, and it helps to have an understanding of how the script validates the user’s input. The script finds the first occurance of ‘<–’, and looks to see what follows directly after it. If it matches “#exec cmd=”ls”–>” or “#exec cmd=”ls /home/xec96/public_html/missions/basic/8/”–>” it accepts it. If it does not match any of the situations above, then it kicks the user out.

SOLUTION:
When I completed this mission I thought that the way I was doing it was cheating. But after reading the problem again and understand that the point of this might be to demonstrate that vulnerabilities are not always where you expect them to be I was content with my process.

Remember level 8 when you put in:

you got the wrong information because we were in the wrong directory. Well lets go back to level 8 traverse to the correct directory.

We already know that ../ brings us to /basic/8/ so we want the parent directory of that so ../../ brings us to /basic and now we want to go into the “9″ folder so ../../9 should bring us to the correct directory. This also meets the criteria in the problem description. So lets put it together:

Now that you have the password file navigate back to level nine enter the path and there is the password.