The only functionality of the website is to specify a path to a directory on the server, which then returns its contents to us.
A button allows us to view the source code of this PHP website. We notice the use of the shell_exec() function, which allows the execution of system commands (https://www.php.net/manual/en/function.shell-exec.php). The server will concatenate the ls string with the user input, which will be parsed beforehand by a filter.
This filter is the following line :
preg_match_all('/[;|]/m', $parsed, $illegals, PREG_SET_ORDER, 0);
It will search for occurrences of the characters ; and | in order to block command injections.
However, a way to bypass this filter is to use backticks, which allows for command injection.
To demonstrate this result, here is a request that will sleep for 10 seconds. We notice that the server responds after the time specified by the user.
Note : The following payloads also work.
$(sleep+2)&& sleep 2
This command injection is blind because the server does not return the result in response. Several techniques can be used to retrieve the flag. We can think of a reverse shell or extracting the contents of the file via an HTTP request to the attacker’s server.
I opted to copy the contents of the flag.txt file to the website directory path. We can easily determine it thanks to the feature that allows us to navigate through the different directories.
/var/www/html
Now, we can copy the contents of the file into a new file that is accessible from the website.
One last request to get the flag !
PWNME{US3R_1nPUT2_1n_ShELL_Y3S_6x8c}