IceCTF 2016 – Geocities (web 100)

August 26, 2016

TLDR: shellshock, metasploit, pivot, sqlmap

A cool web challenge, here the description:

I recently stumbled onto this old site, it’s a miracle that it’s still up! It must be running some ancient technology and probably hasn’t been updated in years, it’s our lucky day boys!


I first solved it like probably everyone else (index.cgi -> shellshock -> list files -> (search for flag on the server…) -> see perl script that connects to a DB on the internal network -> creates a modified version of the perl script in /tmp and executes it to get the DB content as there was no mysql on the vulnerable server).

But then this challenge was really cool, it’s not every day that you have a multiple machines environment (you can practice it in a Windows and Active Directory environment here :), so time to get the big guns, metasploit and sqlmap 🙂

I used the apache_mod_cgi_bash_env_exec Shellshock exploit to get a meterpreter shell.


From there, list the files and display the perl script to get the DB connection details (host, port, user, password, database name).



To get the IP address of the DB server, look into /etc/hosts


Then use the port forwarding command to forward all connections made to a port of the local machine to the DB server in order to be able to use sqlmap on the remote DB


And finally starts sqlmap using a direct connection to the local machine and the port defined above to dump the DB



PS: from the hosts file, an attentive reader would find another interesting sounding host, but its exploitation is left as an exercise for the reader

Leave a Reply

Get Adobe Flash player