Given the challenge we browsed over to http://sprinklers.alieni.se/ and were presented with an old administrator interface for the sprinkler system.

We took a look at the usual avenues when presented with a web challenge and browsed over to /robots.txt

Noticing the /cgi-bin/test-cgi dir we immediately browsed to that web directory and discovered a test script report page:

Adding an extra / after test-cgi we noticed that we could view the web root directory “PATH_TRANSLATED =/var/www/html/index.html” with this clue we knew there were possibilities of files and directories.

So a bit of searching and we came across two interesting links first one on insecure.org and the other related to a CVE-1999-0070. Given this information we started testing different query commands against the web server until we used http://sprinklers.alieni.se/cgi-bin/test-cgi?* which gave some interesting results and gave us the feeling we were going to need an umbrella 🙂

We now see the “QUERY_STRING = enable_sprinkler_system test-cgi” and using this query string to browse to http://sprinklers.alieni.se/cgi-bin/enable_sprinkler_system  gave use rewarding results :

 

Flag: SECT{-p00l_On_t3h_r00f_must_h@v3_A_l3ak!-}

Leave a Reply

Your email address will not be published. Required fields are marked *