Duy's Tinkerings

picoGym – caas challenge Write-up:

Link to challenge

Challenge description

“Now presenting cowsay as a service”

Category: Web Exploitation

Link. Link to included file: index.js

Solution

After downloading the index.js file, this snippet of code stood out

exec(`/usr/games/cowsay…

It seems like the webapp is executing cowsay straight from the commandline, from the path /usr/games/cowsay. My first thought is to try to pipe the result into another command. Normal usage of the site would result in something similar to the following image:

A normal result from cowsay

But what if we try to pipe the result into something else?

grep seems to work, let’s try another
Bingo!
And now to grab our flag 🏁

Leguminosae

, ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: