Back to list
CTFVery Easy

HackThisSite — Basic Mission 7

ducky
2026-05-19
24 views
1 min read

HackThisSite — Basic Mission 7

Reconnaissance

The page runs: cal <user_input>

Tested 123 → returned a calendar for year 123. Confirmed input goes straight to shell.

Exploitation

Step 1 — Test Direct Injection

Tried: ls -la → blank output (no year, command confused)

Step 2 — Chain Commands with ;

Payload: ;ls -la or 123;ls -la

The ; terminates the cal command and injects a second command.

Output revealed directory listing:

index.php
level7.php
cal.pl
k1kh31b1n55h.php   ← suspicious obscure filename

Step 3 — Access the File

Navigated directly to:

https://www.hackthissite.org/missions/basic/7/k1kh31b1n55h.php

Page returned the plaintext password → submitted → Congratz!

Root Cause

User input passed directly to a shell command with no sanitization. Classic OS Command Injection (OWASP A03).

Key Takeaway

Never pass unsanitized user input to shell commands. Use language-native libraries (e.g. Python's calendar module) instead of shelling out, and always whitelist/validate input strictly.

Tags

#hackthissite#basic-mission-7#missions/basic/7

Keep Reading

Related writeups

CTFVery Easy

HackThisSite — Basic Mission 11

Apache directory listing is enabled and `.htaccess` is publicly readable — fuzzing reveals the hidden directory structure and leaks the password filename.

#hackthissite#Basic Mission 11#basic-mission-11
2026-05-19
ducky
26
2m
CTFVery Easy

HackThisSite — Basic Mission 10

Authorization is stored in a client-side cookie as `level10_authorized=no` — changing it to `yes` grants instant access.

#hackthissite#Basic Mission 10#basic-mission-10
2026-05-19
ducky
23
1m
CTFVery Easy

HackThisSite — Basic Mission 9

No injection point in Level 9 itself — reuse Basic 8's SSI vulnerability with a traversal path pointing to Level 9's directory to expose the hidden password file.

#hackthissite#Basic Mission 9#basic-mission-9
2026-05-19
ducky
17
1m