Ryan CTF is a nicely organized beginner CTF located at http://ctf.ryanic.com/. Challenges are pretty interesting, with the only thing I disliked being that they are played through a web shell. So let’s start:

(Ab)use the ping-tool.html page on the web server http://ctf.ryanic.com:8080 to find the flag within the Flag.txt file.

When we open the site, we see just a simple form asking us for IP we want to ping. Parameters are passed in GET request so if we wanted to ping google DNS our URL would look like


Now one of basic things (as hinted by challenge name) is to test command injection which we can do by adding ;ls and checking the results:

ING ( 56(84) bytes of data. 
64 bytes from icmp_seq=1 ttl=51 time=1.08 ms 
64 bytes from icmp_seq=2 ttl=51 time=0.493 ms 
64 bytes from icmp_seq=3 ttl=51 time=0.399 ms 
64 bytes from icmp_seq=4 ttl=51 time=0.418 ms 

--- ping statistics --- 
4 packets transmitted, 4 received, 0% packet loss, time 3042ms 
rtt min/avg/max/mdev = 0.399/0.598/1.085/0.284 ms 

Now for fun, we can also leak the code of this .php script running on the server with


Here it is just important to note that we need to URL encode parameters so for example in case above space is replaced by + .

And we get:

$out = array();
exec("ping -c 4 " . $_GET["ip"], $out);
foreach($out as $line) {
echo "$line

Now for the remaining part, we need to find the flag. We can do this just through a browser but also we can do it through burp, to make it easier and it is a good tool to know.

We need to capture one of request we send to server and forward it to the repeater, in this way we can quickly modify parameters of request and URL encode them. For this, we just need to start burp, turn the intercept on and set the browser to use a proxy (in case of burp localhost on the port 8080 by default).

First I tried running find for the flag, which failed for some reason so I decided to simply check directories bellow our current one.

ping ls

Parameters of the request, if URL decoded, are simply ;cd..;ls. And it seems we were in luck since Flag.txt is just one sub-directory bellow. We simply cat Flag.txt and that’s it.

Flag: pluripresence

- F3real