VendingMachineChallengeWrite-Up(Web)-CyCTF2024
Omar Mohamed
Thanks for sharing!
بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ

Hello everyone! It's Omar (aka daMushroom).
Welcome to this short write-up for the
Welcome to this short write-up for the
Vending Machine
challenge from the CyCTF 2024 qualifications.Let's get started!

We are provided with a single page with an input

Writing anything and capturing the request with burp.
My goal was to trigger an error, so I tested multiple characters until I got an error when I entered NULL Byte:
%00
.
We notice our payload is getting passed into
shell_exec
function.
We have a command injection.Playing around a bit, I got the flag stored in an environment variable.
Payload:
anything; env

That's it!
Don't forget to check out my other Write-up on SMS Challenge
See you in the next one!
Tags: