Given the challenge we browsed over to http://sprinklers.alieni.se/ and were presented with an old administrator interface for the sprinkler system.
We took a look at the usual avenues when presented with a web challenge and browsed over to /robots.txt
Noticing the /cgi-bin/test-cgi dir we immediately browsed to that web directory and discovered a test script report page:
Adding an extra / after test-cgi we noticed that we could view the web root directory “PATH_TRANSLATED =/var/www/html/index.html” with this clue we knew there were possibilities of files and directories.
So a bit of searching and we came across two interesting links first one on insecure.org and the other related to a CVE-1999-0070. Given this information we started testing different query commands against the web server until we used http://sprinklers.alieni.se/cgi-bin/test-cgi?* which gave some interesting results and gave us the feeling we were going to need an umbrella 🙂
We now see the “QUERY_STRING = enable_sprinkler_system test-cgi” and using this query string to browse to http://sprinklers.alieni.se/cgi-bin/enable_sprinkler_system gave use rewarding results :