Coffee Difficulty Rating:

Challenge Description

Exploit the web based ping command tool and capture the flag.

smartcat1 CTF

InsomniHack Smartcat1

Entering nothing or a ' renders the error: Error running ping -c 1 foo. Enumeration indicated the following characters were filtered $;&|({`\t Note, that included whitespace filtering.

I loaded up burp and went through the ASCII table for other ways of escaping the command. It was possible to use LF %0a to escape the existing command and enter another such as: dest=

Viewing the source code of index.cgi confirmed the character filtering.

#!/usr/bin/env python

import cgi, subprocess, os

headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","","solve_me_already"]

print "X-Powered-By: %s" % headers[os.getpid()%4]
print "Content-type: text/html"

print """

<head><title>Can I haz Smart Cat ???</title></head>


  <h3> Smart Cat debugging interface </h3>

blacklist = " $;&|({`\t"
results = ""
form = cgi.FieldStorage()
dest = form.getvalue("dest", "")
for badchar in blacklist:
    if badchar in dest:
        results = "Bad character %s in dest" % badchar

if "%n" in dest:
    results = "Segmentation fault"

if not results:
        results = subprocess.check_output("ping -c 1 "+dest, shell=True)
        results = "Error running " + "ping -c 1 "+dest

print """

  <form method="post" action="index.cgi">
    <p>Ping destination: <input type="text" name="dest"/></p>

  <p>Ping results:</p><br/>

  <img src="../img/cat.jpg"/>


""" % cgi.escape(results)


Entering dest=%0afind listed the current directory, revealing the path of the flag.


Flag contents:


Thanks for the CTF :)