Tags: command_injection
Rating:
# Echoes
- 50 Points / 399 Solves
## Background
Do you hear that?
[https://echoes-web.challenges.ctf.ritsec.club/](https://echoes-web.challenges.ctf.ritsec.club/)
## Find the flag
**Home page:**
As you can see, we can enter some words:
Burp Suite HTTP history:
When we clicked the "Test word" button, it'll send a POST request to `/check.php`, with parameter `word`.
Then it'll output with our input three times!
Hmm... I wonder how it works...
Well, you guessed! ***`echo` OS command!***
That being said, we can try to test ***OS command injection***!
**To do so, I'll use the new line characeter (`\n` = `%0a`):** (Or you can use `|`)
```bash
a %0a id
```
Boom! We have RCE (Remote Code Execution) via OS command injection!
**Let's get the flag!**
```bash
a %0a ls
```
```bash
a %0a cat flag.txt
```
Nice!
- **Flag: `RS{R3S0UND1NG_SUCS3SS!}`**
## Conclusion
What we've learned:
1. OS Command Injection