downloader-v1

File Downloader Command Injection – Write-up

Info

Details

Challenge Overview

This challenge has a file downloader in it, so my first guess was a Command Injection Vulnerability.

Apparently, when the URL contains two path segments (e.g., /123/123), the application returns an output.

The file referenced by the URL is downloaded using the wget command and then removed if it has a .php, .pht, .phtml, or similar extension (via bash -c 'rm uploads/.../*.{php,pht,phtml,php4,php5,php6,php7}').

Analyzing page source (CTRL + U), we see this line:

<!-- <a href="flag.php">###</a> -->

When accessing:

http://34.40.99.144:30320/flag.php

we see the message GET ME.

Exploitation

My first instinct was to send the following link:

https://127.0.0.1/flag.php

Sneaky you! is displayed, but maybe because that .php extension that could easily be bypassed -> p'hp; p'h'p; ph'p'

After many attempts nothing worked and I decided to look in the manpage of wget.

There I saw the -i option, which simply allows wget to read URLS from A FILE. I tried it on my host, and that's how it works.

Apparently, it enumerates each line, which is great in our situation.

Final Payload

https://example.com/123 -i flag.'p'hp

There I got the flag and decode it using Cyberchef URL Decode.

made by k0d

Previousproduction-bay Nextpara-code

Last updated 26 days ago

hashtagFile Downloader Command Injection – Write-up

hashtagChallenge Overview

hashtagExploitation

hashtagFinal Payload

File Downloader Command Injection – Write-up

Challenge Overview

Exploitation

Final Payload