0%

VendingMachineChallengeWrite-Up(Web)-CyCTF2024

Omar Mohamed
Thanks for sharing!

بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ

Vending Machine Challenge Write-Up (Web) - CyCTF 2024
Hello everyone! It's Omar (aka daMushroom).
Welcome to this short write-up for the Vending Machine challenge from the CyCTF 2024 qualifications.
Let's get started!
vending-machine-challenge
We are provided with a single page with an input
main
Writing anything and capturing the request with burp.
My goal was to trigger an error, so I tested multiple characters until I got an error when I entered NULL Byte: %00.
error
We notice our payload is getting passed into shell_exec function. We have a command injection.
Playing around a bit, I got the flag stored in an environment variable. Payload: anything; env
flag
That's it! Don't forget to check out my other Write-up on SMS Challenge
See you in the next one!

You might also like