BASIC WEB CHALLENGE Day 7

Hello guys am back again with HTS and today were going to do day 7, but you can also check the other days writteup **STEP 1:** read the challenge description "This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory. In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script:" ![](https://hackmd.io/_uploads/SJAErdcsh.png) The main aim of this challenge is to introduce you to simple and basics of command injection here we go **STEP 2:** Lets try to input year 2023 and see what it displays ![](https://hackmd.io/_uploads/ryv9BOcoh.png) it seems that if we input yr 2023 it displays all the months of this year, so we can try to bind the year and the commands, since and see if we can get and results ,it will be true if and only if the developer hasn't input some filters in the user section ![](https://hackmd.io/_uploads/rkLEU_5i2.png) And then resulted into ![](https://hackmd.io/_uploads/HkOvIucs2.png) and there we can see the most interested file is k1kh31b1n55h.php and if we try to move to thi file we get something very interested ![](https://hackmd.io/_uploads/rJUALOqih.png) Now copy the file and submit it to solve the challenge ![](https://hackmd.io/_uploads/HJMbDOcsh.png) **Finally** we managed to solve the challenge, that you hackers lets meet day 8