Guidepoint Security CTF 2021 - Calc (web)
This is a basic OS command injection challenge. The web page for the challenge shows two input boxes for numbers it will then add together for you.
The page submits the two values you pass to it as the
y GET parameters (
http://10.10.100.200:38271/index.php?x=1&y=2) but these parameters are passed to an underlying OS command and are not escaped properly. By adding a
; we can break out of the command context and inject our own commands, we just have to make sure we URL encode any special characters that will otherwise mess up the URL. Just to be safe we also added a
;# at the end of our injected command so nothing that could be placed behind our injected command will affect it.
First we need take a look at the directory contents:
curl -v 'http://10.10.100.200:38271/index.php?x=%3Bls%3B%231&y=1'
We’ll see there is a file called
calchdeyenbdw7wjh281y1hd771ujs718hq.txt, so next we just cat that file:
curl -v 'http://10.10.100.200:38271/index.php?x=%3Bcat%20calchdeyenbdw7wjh281y1hd771ujs718hq.txt%3B%231&y=1'
And with that, our we get our flag for this challenge.