Looking Glass
When we start the instance, we are met with an options menu:
It appears as if we can input the IP, which is then pinged. Let's imagine for a second how this could be implemented on the server side. A common trap developers can fall into is doing something like:
Essentially, we're passing the parameters to bash. This means we could, theoretically, insert a ; character into the ip variable, and everything behind it would be interpreted as a seperate command, e.g.:
Here, ls would be run as a separate command. Let's see if it works!
Let's try it by simply inputting ; ls to the end of the IP and submitting:
Look - as well as the ping command, we get index.php, which is the result of the ls command!
There doesn't appear to be a flag, so we'll try ; ls / to read the root directory next:
Woo - there's a flag_2viTb file! Now we'll inject ; cat /flag_2viTb to read the flag:
And boom, we've got the flag - HTB{I_f1n4lly_l00k3d_thr0ugh_th3_rc3}.
Because I prefer a command-line interface, I originally created a simple script to inject parameters for me:
This simply inputs the command as cmd, sets the POST parameters, and (really messily) parses the response to return just the data.
Checking the Source
We can inject cat index.php to see what exactly was happening, and we immediately see the following lines:
As we guessed, it passed in the input without sanitising it to remove potential injection.
