Posted on by and filed under DEF CON CTF Qualifier 2014.

routarded 01

routarded starts you out with a hint in the challenge description that the target webpage is a router with default credentials. After trying a bunch of default router combinations, @jonathansinger found a working combination of <blank>:admin. This pops you into the management site of this fake router, which has a promising diagnostics page.

routarded 03 routarded 03 small

We went straight for command injection by inputting 127.0.0.1 & ls  to try to get the “router” to execute ping 127.0.0.1 & ls , but we found out that things get messed up along the way. There’s some input santitization going on (presumably with JavaScript) that removes spaces and ampersands.

routarded 05

Rather than dealing with disabling JavaScript or something, I started Firefox and connected it to Burpsuite, fixing the request as it got sent out to work around the problem altogether.

routarded 06 small

routarded 07

Looks like there’s a file called flag. Let’s try to read it out by submitting 127.0.0.1 & cat flag  and fixing it with Burp.routarded 10 smallThe flag is l0l, I can’t believe they still do this shit.

Additional credit for solving this challenge goes to @jonathansinger.