CTF
  • Intro
  • HTB
    • Love
    • Aton
    • Cereal
    • Tenet
    • Tabby
    • Ophiuchi
  • CTF Competitions
    • SANS CTF 2020
      • Web
        • WE01
        • WE02
        • WE03
        • WM01
        • WM02
        • WH01
        • WX01
      • Binary
        • BE01
        • BM01
        • BM02
        • BX01
      • Crypto
        • CE01
        • CE02
      • Forensics
        • FE01
        • FE02
        • FE03
      • Network
        • NH01
Powered by GitBook
On this page
  • About The Challenge
  • Solution

Was this helpful?

  1. CTF Competitions
  2. SANS CTF 2020
  3. Web

WM02

PreviousWM01NextWH01

Last updated 4 years ago

Was this helpful?

About The Challenge

Type

Difficulty

Web

Medium

Solution

This challenge was easy but it was having a small trick.

Their was a command injection on the text box input. By typing the following command we can run any system command on the server, but first we have to start with Simi-column ; or pip | commands or any closing command then run the command that we want to execute on the server. 

| ls -la

As above figure shows that the flag was hidden in the file .flag.txt and that is the small trick of the challenge. We can show the hidden files and directories using the flag -a with ls command.

Finally we got the flag by printing the value of .flag.txt

Flag is: cmDInjECTIoN-NoFoRAnEP0CH918