Radia Perlman

Challenge Description

Command Injection Vulnerability

let's try and put a random value in the ip parameter and see if we can generate any errors that help us to identify what we are dealing with

so the application gets the dns host and trys to query the corresponding ip using nslookup command, so the vulnerability here will be a command injection by injecting other command in the ip parameter

nslookup cyberheroines.ctfd.io 2>&1 ; ls ;

we can see that the app have executed the command ls by using the separator ;

after listing the files we find a file called flag.txt, let's try to read it using the command cat

nslookup cyberheroines.ctfd.io 2>&1 ; ls ; cat flag.txt ;

the command cat is blocked so we will bypass the restriction by using backslashes or double quote

bypass using backslashes

bypass using double quote

Flag

chctf{1_l0v3_5p4wn1n6_n0d3_ch1ld_pr0c355}