User audit: Difference between revisions
No edit summary |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[File:User-audit-task.PNG|thumb|User audit task]] | |||
[[File:User-audit-flag.PNG|thumb|User audit flag and url parameters]] | |||
===Description=== | ===Description=== | ||
Junior system administrator has a recurring task to do regular audit on users and administrators present on the server. | Junior system administrator has a recurring task to do regular audit on users and administrators present on the server. | ||
| Line 9: | Line 12: | ||
===Solution=== | ===Solution=== | ||
When I opened the web page, I noticed that the links open txt files on the web page and the parameters are sent with the GET command. This is shown in the browser address bar. | When I opened the web page, I noticed that the links open txt files on the web page and the parameters are sent with the GET command. This is shown in the browser address bar. | ||
I immediately set off to see how the program would work if I used the ../ command to navigate the folder. After testing for a while, I found that with | |||
I immediately set off to see how the program would work if I used the ../ command to navigate the folder. After testing for a while, I found that with the right formatting of the address parameter we can also open files outside the www folder from the server. | |||
So I opened the secret.txt file by adding <code>../../../backup/secret.txt</code> to the address field | So I opened the secret.txt file by adding <code>../../../backup/secret.txt</code> to the address field | ||
Latest revision as of 11:36, 30 September 2022
Description
Junior system administrator has a recurring task to do regular audit on users and administrators present on the server.
He has created a web application to help him with the task.
50pts
Question
Use the weakness in the web application to read a secret file at /var/backup/secret.txt
Solution
When I opened the web page, I noticed that the links open txt files on the web page and the parameters are sent with the GET command. This is shown in the browser address bar.
I immediately set off to see how the program would work if I used the ../ command to navigate the folder. After testing for a while, I found that with the right formatting of the address parameter we can also open files outside the www folder from the server.
So I opened the secret.txt file by adding ../../../backup/secret.txt to the address field
This also gave me the ticket.
Tools
- Firefox / Browser
Flag
ctftech{file-included}
