51 lines
1.3 KiB
Markdown
51 lines
1.3 KiB
Markdown
|
**Title:** Very Old Website
|
||
|
|
|
||
|
|
**Description:** We have checked our very old website whether it contains a vulnerability. But lucky we were unable to find anything. Can you check, just to be sure?
|
||
|
|
|
||
|
|
**Flag:** Three flags (of different levels)
|
||
|
|
|
||
|
|
- `IG{1-IchBinKeinNetScapeNavigator}`
|
||
|
|
- `IG{2-GoodJobCoconut}`
|
||
|
|
- `IG{3-0PHP0IS0FUN0!}`
|
||
|
|
|
||
|
|
**Hints:**
|
||
|
|
|
||
|
|
- First flag: `Mozilla/5.0`
|
||
|
|
- Second flag: `Read the REAL /password.txt`
|
||
|
|
- Third flag: `$PS1, $PWD, $UID, $SHELL`
|
||
|
|
|
||
|
|
**Files given:** _None_
|
||
|
|
|
||
|
|
**How the challenge works:**
|
||
|
|
|
||
|
|
1. Change the useragent to `Navigator/` (or a real Netscape useragent string)
|
||
|
|
2. First flag: `X-Flag` header on `/`
|
||
|
|
3. Read `http://ip/robots.txt`
|
||
|
|
4. Fake files: `http://ip/password.txt`, and `http://ip/flag.txt`
|
||
|
|
5. Check source of `http://ip/admin/`
|
||
|
|
6. See possible path vulnerability: `?p=login.php`
|
||
|
|
7. Try `?p=../../../../../../password.txt`
|
||
|
|
8. Does not work, `..` replaced with `.`
|
||
|
|
9. Retry with `?p=.../.../.../.../.../.../password.txt`
|
||
|
|
10. Hurray password!
|
||
|
|
11. Log in using these credentials on `http://ip/admin/`
|
||
|
|
12. Hurray another flag: `<input type="hidden" name="flag">`
|
||
|
|
13. Remote Code Execution, send payload `phpinfo()` using admin panel.
|
||
|
|
14. Refresh `http://ip/`
|
||
|
|
15. Find third flag.
|
||
|
|
|
||
|
|
**How to deploy:**
|
||
|
|
|
||
|
|
```
|
||
|
|
./docker.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
**How to stop:**
|
||
|
|
|
||
|
|
```
|
||
|
|
docker stop very-old-website
|
||
|
|
```
|
||
|
|
|
||
|
|
Container is automatically removed!
|
||
|
|
|