How is this vulnerable?

[HttpGet] public async Task<IActionResult> Get([FromQuery(Name = "destination")] string destination, [FromQuery(Name = "level")] int level) { var psi = new ProcessStartInfo { RedirectStandardOutput = true, psi.FileName = "ping", psi.Arguments = destination }; var ct = new CancellationTokenSource(TimeSpan.FromSeconds(20)).Token; var process = Process.Start(psi); await process.WaitForExitAsync(ct); return Ok(process.StandardOutput.ReadToEnd()); }

This is the source code. You should be able to read flag2.txt. It is a simple ping function on user GUI, where you get back the result of the ping command. If the host is wrong, the application reflects back the bad hostname. I though there is a way to ping the value inside the flag2.txt file to reflect it back but no luck with that.

It is emphasized multiple times it uses tcpping and all flags can be used, but I found no way the read to content of the file.

The CTF is already over, it was an inhouse company CTF, I'm not trying to cheat in it or something, I just want to understand because the solutions havent been released. The source code came from a hint in the CTF. Also it is mentioned that no sanitization is used

submitted by /u/Astral_04
[link] [comments]

from hacking: security in practice https://ift.tt/my0fl4t

Comments