The first attempt to solve this challenge is to provide a file URL, like so: `file:///A:/flag.txt`. However this is not considered a valid URL by the filter, as indicated by the error message:
ERROR: Illegal URL found, haxor?
The VM that is used is also provided for download. We find the startup script that is used to launch Internet Explorer with our URL at `C:\WOW.bat`.
START C:\MSIE50\IEXPLORE.EXE "http://10.0.2.2"
Our second attempt is to perform command injection in order to open Notepad with the flag after loading a URL. Unfortunately the filter also flags this attempt as an illegal URL like before.
Once we figured out that the VM is able to connect to other IP addresses on the LAN, it became clear that it is possible to make it connect to our machine. We create a simple Python web server that redirects any incoming GET request to the location of the flag.
The server looked as follows:
#This class will handles any incoming request from
#Handler for the GET requests
# Send the html message
#Create a web server and define the handler to manage the
server = HTTPServer(('', PORT_NUMBER), myHandler)
print 'Started httpserver on port ' , PORT_NUMBER
#Wait forever for incoming htto requests
print '^C received, shutting down the web server'
Now we load up the web server and submit our IP-address as the URL. After booting up, the machine sends us a GET request and is redirected as we explained above.
$ sudo python webserver.py
Started httpserver on port 80
22.214.171.124 - - [09/May/2019 16:34:53] "GET / HTTP/1.0" 301 -
The VM starts and opens Internet Explorer 5, which is redirected to the flag on the system.
Voilà, challenge solved.