/Home/Writeups/Sunshinectf2022/Network Pong/
Author: argot
Pub: 2022-11-21
230 words


Introducing Network Pong: Pong for the Internet! In this game, you just ping random websites and try to get the lowest latency. It is protected with state-of-the-art anti-hacking techniques, so it should be unhackable according to our security team of well-trained monkeys and felines.


The included link leads to a webpage with one input. Some type of command injection is expected here. Submitting the form with results in the following:



An initial injection attempt is tried with ; whoami and it returns an error implying our commands are getting passed into a bash script.

/bin/bash: line 1: {ping,-c,1,: command not found
/bin/bash: line 1: test}: command not found

So, trying to escape the bracketing we inject };{ $(command), trying with whoami results in the following response:


An attempt to read a flag.txt file using cat, but apparently whitespaces are not handled well. An attempt with ${IFS} inplace of whitespace results in the an error:

Do not mention body parts, felines, or body parts of felines


So, reading a file directly may be out, but its noted that the program nc is installed on the machine with the -e flag available. Ngrok is spun up and a netcat listener is started on the attacker’s machine. The following payload is injected


The payload is sent a reverse shell is caught and the flag is captured.

Reverse Shell