Writeup for the Guidepoint 2021 CTF Calc web challenge
Guidepoint Security CTF 2021 - Calc (web) This is a basic OS command injection challenge. The web page for the challenge shows two input boxes for numbers it will then add together for you. The page submits the two values you pass to it as the x and y GET parameters (http://10.10.100.200:38271/index.php?x=1&y=2) but these parameters are passed to an underlying OS command and are not escaped properly. By adding a ; we can break out of the command context and inject our own commands, we just have to make sure we URL encode any special characters that will otherwise mess up the URL.