HackThisSite — Basic Mission 8

---

Reconnaissance

The page hints two things:

• Password is stored at /var/www/hackthissite.org/html/missions/basic/8/
• Stephanie's script saves your name into a .shtml file and serves it back

URL pattern after submit:

/missions/basic/8/tmp/randomname.shtml

The .shtml extension = Server Side Includes are processed by the server.

---

Failed Attempts

Tried command injection from Basic 7:

;ls -la

Output: Hi, ;ls -la! Your name contains 7 characters. → No execution. This is SSI, not shell injection.

---

Finding the Right Payload

Tried SSI exec directive:

<!--#exec cmd="ls/."--> 

→ Promising but syntax slightly off.

Final working payload:

<!--#exec cmd="ls ../"-->

Output revealed:

au12ha39vc.php   index.php   level8.php   tmp/

---

Getting the Password

Navigated directly to:

https://www.hackthissite.org/missions/basic/8/au12ha39vc.php

Returned the plaintext password → submitted → Congratz!

---

Root Cause

User input written into a .shtml file without sanitization. The server parses SSI directives in .shtml files automatically, turning a name field into a remote command execution vector.

---

Key Takeaway

Never write unsanitized user input into server-parsed files. SSI directives in .shtml files execute with server privileges. Sanitize all input and avoid serving user-controlled content through SSI-enabled file types.