CTF: SEC-T CTF 2017
Challenge: Sprinkler System
Classification: Web
The challenge starts by pointing to a URL, and when we check it out the following site comes up:
Not too much here at all... But out of habit when nothing else is shown, check robots.txt!
Well this is interesting and worth checking out, so after putting "/cgi-bin/test-cgi" into the browser, it gives us a test script report, which should be exploitable.
This site served as a good reference for how to exploit this.
Inputting "/cgi-bin/test-cgi?*" shows the scripts that are present for this site, and we can see something sprinkler-related.
Let's see if we can execute this by appending it to our URL...
Sprinkler systems activated and we get our flag!