Exploit the web based ping command tool and capture the flag.
InsomniHack Smartcat 2
Due to filtering it was impossible to enter any white space in commands, making it far more difficult than the smartcat1 challenge. Initially I tried and failed to use a
/dev/tcp/ip/port reverse shell.
The environment variable
HTTP_USER_AGENT= which contains the contents of the
User-Agent: field, had no filtering allowing for easy injection of a reverse shell.
Using command injection it was possible to execute
/proc/self/env and successfully execute a reverse shell.
Putting it all together using curl:
The flag was not readable by
www-data, the binary
readflag was required to read the contents of the flag.
A couple of lines needed typing in to “confirm” you had an interactive shell, after entering the flag was displayed:
Thanks for the challenge :)