Clicking the link took me to the default apache page, so I decided to go straight into gobuster to find other pages.


First time I ran it the /cgi-bin/ directory stood out to me, so I ran it again on that directory and discovered the scriptlet file located within.


This appears to be a bash script that just runs whoami. Since this is bash, let's try exploiting shellshock. (cgi-bin + ctf - user input = shellshock)

To begin, I intercepted the request firefox was making to the script in burpsuite


And then hitting ctrl + R to send it to the repeater to make things eaiser.

To test for shellshock, we can replace the user agent string with `() { :;}; echo; echo vulnerable` . If the response from the server contains the word `vulnerable`, we have a hit.

And it did.

My home network wouldn't allow me to catch a reverse shell, but burpsuite is all the shell I need at this point. After some poking around, I found something interesting at / (full path for ls was required)


catting the file revealed hex data

So I threw that into cyberchef and decoded from hex. After decoding that cyberchef was nice enough to point out that this was gzipped data and just handed me the flag.

Success! This was a really fun challenge.

Original writeup (https://github.com/kernelpanicatthedisco/Writeups/blob/master/auctf2020/README.md).