Basic Mission 8

[HollowPoint357]

Hey everyone,
I was finally able to get the result after some help from outside websites, but I still do not totally understand how this whole process works. I read up a bit on SSI, as this was my first exposure to it, but if anyone would care to PM me with a quick explanation I would greatly appreciate. Aside from this, I'll keep reading up to see if I can grasp the concept. Love the site btw, today was my first visit to it.

[facelessman26]

It is a matter of syntax and then follow what you learned in 7

[Yusufmalikul]

What do yo need is to tell the shtml to show where the password file is.

[Rookie64v]

Quoting the tutorial:

Basic Web Hacking - Mission 8:

This mission introduces a new dot extension that you have never seen so far in the challenges. It is .shtml. Before going any further, I would reccommend you do some research on .shtml more specifically SSI (Server Side Includes).
Sam gives the file that the password file is stored in /var/www/hackthissite.org/html/missions/basic/9/.
When you use the script on that page you will notice that it takes you two directories ahead of where the password is stored.
Like the last challenge, you will want to list the files to find the one that you want but in a different format (SSI). You will also have to find the *NIX/UNIX command to go back two directories.
You will have to get the code dead on because your syntax is monitored very carefully.

Actually, there's an error (well, /basic/9/ is just a mistype I think). You needn't go back two directories, if you think about it. And, by the way, I'm an Ubuntu user and the command I tried first didn't work because the syntax wasn't allowed, so be careful not to google the highlighted text because the answer will not be the correct one

[ghest1138]

HINT:
The password file isn't in the /tmp directory, try a Unixy way to look inside a different directory

[cluele55]

It's been posted about a dozen times (at least) in this thread, but I'll emphasize again: all you need to solve this can be found in the following two links:

http://httpd.apache.org/docs/1.3/howto/ssi.html

and

http://www.computerhope.com/unix/uls.htm

Once you figure that out, be very VERY mindful of your url bar (that cost me some extra time). I kinda feel dumb for that part.

I finally got it after this hint! The format of the command has to be very specific. Seems like spaces and everything must be exact. I was typing in the correct command but was not formatting it with the correct spacing.

Omg, the spacing thing killed me too. I feel so stupid. I've studied a variety of languages (not particularly good at any of them) and I often get the syntax mixed up between them (like whether spaces are important or if a bracket or semi-colon is needed). I also sometimes use Linux. So I could not figure out what I was doing wrong. I kept getting the "we're limiting allowable commands...go back and fix your code" message and was completely stumped. I knew I was using the most logical approach, but went back and tried a whole variety of other options. Nothing worked. So I actually spent weeks reviewing SSI and PHP and even studied a wealth of other injection methods. I kept coming up with the same command.

I didn't want anyone to give me the answer so I was grateful that this forum doesn't allow spoilers. The above post (and a few others like it) finally got me to look at my script a little more closely. Spacing counts. Duh. So maybe I'm feeling very stupid about this, but the good thing is, my mistake made me go out and learn more. So thanks to everyone for the hints without spoilers!

[Artarka]

i got the "your on the right track" message but i cant find anything else with unixs i dont get anything and with ssi or ssi and unix i get the "your on the right track but...." could i get a pm or a big hint because i just cant find it

You don't need to be in the directory that a file is in to view said file..

I just finished it and i found this hint useful. just FYI

[rasengan913]

I have learned so much from this site I am eternally grateful.

The way the tutorials function is to challenge you with something you have never seen before and give you just enough information to hunt down what you need to succeed. So if you are struggling I suggest purposefully avoiding all these spoilers and reading your ass off. Learning basic Unix commands will be useful later. This will not be the last time you see SSI (you see it every day technically). So although it is tedious and frustrating, it is worth it. You are learning skills that you can someday look back to for reference and that you will use as a building block to move up. I suggest saving some of the high quality reference pages you find in the forum hints and using them later on (preferably before you ask for the answer).

Bedtime,
Rasen

[Resorted]

This one is killing me-.- Don't even know where to start Can anyone explain it in super noob language for me please?

[N3nvy]

This link helped me too: http://www.computerhope.com/unix/uls.htm

I found the list of .shtml files but couldn't find the .php files. Check that the command you have entered is actually the one you need to find the .php files. For me, it was chance that I found the answer, I was confused throughout the whole mission and it was really an estimation. Pay attention to detail and take advantage of the hints.

Good luck, everything is hard before it's easy.