🌐 Caas

A detailed write-up of the Web challenge 'Caas' from picoMini by redpwn - 2021

mH4ck3r0n3 Ethical Hacking/CTFs/Jeopardy/PicoGym/PicoMiniByRedPwn-2021/Web

01/03/2025 542 words 3 minutes

Contents

/images/PicoGym/PicoMiniByRedPwn-2021/Caas/challenge_presentation.png — Challenge Presentation

📊 Challenge Overview

Category Details Additional Info

🏆 Event PicoGym Event Link

🔰 Category Web 🌐

💎 Points 500 Out of 500 total

⭐ Difficulty 🟡 Medium Personal Rating: 1/10

👤 Author BrownieInMotion Profile

🎮 Solves (At the time of flag submission) 17.733 solve rate

📅 Date 18-02-2025 PicoGym

🦾 Solved By mH4ck3r0n3 Team:

Category	Details	Additional Info
🏆 Event	PicoGym	Event Link
🔰 Category	Web	🌐
💎 Points	500	Out of 500 total
⭐ Difficulty	🟡 Medium	Personal Rating: 1/10
👤 Author	BrownieInMotion	Profile
🎮 Solves (At the time of flag submission)	17.733	solve rate
📅 Date	18-02-2025	PicoGym
🦾 Solved By	mH4ck3r0n3	Team:

📝 Challenge Information

Now presenting cowsay as a service

🎯 Challenge Files & Infrastructure

Provided Files

1
Files: None
Attached Files

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

Site Presentation

Trying to visit the page https://caas.mars.picoctf.net/cowsay/hellooooo where {message}=hellooooo in this case, I get:

First Try

As we can see, it is cowsay, a free software that generates an ASCII art image of a cow with a speech bubble containing a message that we can enter at our leisure. If you want to try installing it, you can simply run:
1
sudo apt install cowsay 
However, since it is executed via a CLI (Command Line Interface) command, we can chain other commands to it, for example, by using ;second command, where the ; is a special bash character used to separate multiple commands. Or we can use &, which is a special character in bash that allows us to concatenate the execution of multiple commands. Let’s do a local test after installing cowsay:

Local Cowsay

Now, trying to add, for example, & second command, as we can see, the second command we specify is also executed:

Local Cowsay Injection

This results in the output of the cowsay command along with the output of whoami (a command that displays the username of the current user). Now that we understand how to potentially exploit the cowsay command for an OS Command Injection, let’s move on to the exploitation phase.

🔬 Vulnerability Analysis

Potential Vulnerabilities

OS Command Injection

🎯 Solution Path

Exploitation Steps

Initial setup

As a first step, I assume there is a flag.txt file to read in order to find the flag. So, the first thing I try is to send the message &ls to concatenate cowsay with ls. The final command that will be executed on the server will look like this: cowsay & ls.

Exploitation

I then visit the URL: https://caas.mars.picoctf.net/cowsay/&ls

Remote Cowsay Injection

As we can see, it works! Now that we have achieved the injection, as shown in the image, I noticed a suspicious file called falg.txt. So, trying to view the file’s content by concatenating cowsay & cat falg.txt, the content of the file falg.txt is printed, and inside it, there is the flag.

Flag capture

Manual Flag

🛠️ Exploitation Process

Approach

The exploit simply makes a GET request to https://caas.mars.picoctf.net/cowsay/&cat%20falg.txt, as seen in the manual approach, and extracts the flag from the response using a regex.

Exploit

🚩 Flag Capture

Flag

Proof of Execution

Automated Flag

Screenshot of successful exploitation

🔧 Tools Used

Tool Purpose

Python Exploit

Tool	Purpose
Python	Exploit

💡 Key Learnings

Skills Improved

Binary Exploitation

Reverse Engineering

Web Exploitation

Cryptography

Forensics

OSINT

Miscellaneous

📊 Final Statistics

Metric	Value	Notes
Time to Solve	00:00	From start to flag
Global Ranking (At the time of flag submission)		Challenge ranking
Points Earned	500	Team contribution

Created: 18-02-2025 • Last Modified: 18-02-2025 *Author: mH4ck3r0n3 • Team: *