Here we have a web challenge that gives us a game with a a submit score form. Also site provide a login/register page where we can see our scores and the IP that submit it. Now faking the score is pretty easy but this isn’t the point of the challenge that is get RCE. After a bit of testing a file discloure is found in “ip” parameter of index.pl where we can read basically all file we want. So reading index.pl it turns out that IP is used in open() perl function that is known for its feature that allows among with pipes the execution of commands.

$file = './data/'.MD5($login)."/".$req->param('ip');
if (-e $file) {
    open FILE, $file; <-- here

But how to put arbitrary IP? After a bit of testing it falls out that we can spoof our IP address by using X-Forwarded-For HTTP header. So now the game becomes easy:

Razor4x