Challenge: Looking Glass
Looking Glass challenge is a Web-challenge. It include the following description: “We’ve built the most secure networking tool in the market, come and check it out!”
Vulnerability
In this web page we can found a remote command execution vulnerability. If someone exploits this vulnerability, the attacker can gain access to a system. The attaker can access to a vulnerable system where he hasn’t any perrmision. With this vulnerability the attacker can, for example, search files, gain acces with a shell or get confidential information.
Explotation
- I go to the web page and I can run ping or traceroute like in the following image:
![Desktop View]()
- I try to concatenate a command to run this after running the ping. It can be concatenate by different ways:
1 2
| #This symbol concatenate two commands but we only see the output of the second command. ; #This symbol is to finish the command, so we can run another command.
![Desktop View]()
- Now I know that I can run commands, so I search the file in the root directory with the next command:
![Desktop View]()
- Finally I want to display the flags with
catcommand:![Desktop View]()
