When we start the instance, we are met with an options menu:
It appears as if we can input the IP, which is then pinged. Let's imagine for a second how this could be implemented on the server side. A common trap developers can fall into is doing something like:
Essentially, we're passing the parameters to bash. This means we could, theoretically, insert a ;
character into the ip
variable, and everything behind it would be interpreted as a seperate command, e.g.:
Here, ls
would be run as a separate command. Let's see if it works!
Let's try it by simply inputting ; ls
to the end of the IP and submitting:
Look - as well as the ping
command, we get index.php
, which is the result of the ls
command!
There doesn't appear to be a flag, so we'll try ; ls /
to read the root directory next:
Woo - there's a flag_2viTb
file! Now we'll inject ; cat /flag_2viTb
to read the flag:
And boom, we've got the flag - HTB{I_f1n4lly_l00k3d_thr0ugh_th3_rc3}
.
Because I prefer a command-line interface, I originally created a simple script to inject parameters for me:
This simply inputs the command as cmd
, sets the POST parameters, and (really messily) parses the response to return just the data.
We can inject cat index.php
to see what exactly was happening, and we immediately see the following lines:
As we guessed, it passed in the input without sanitising it to remove potential injection.