ISSessions CTF 2021 Trend NoCommandOnlyPing

Mar 31, 2021 | 2 minutes read

TrendMicro - No Command Only Ping

Pinging hosts by calling exec? That’s a great idea!

Going into this, I had a feeling that it was going to be a command injection. Turns out yet again more accurate labeling by John/Thracky.


The application was a Tomcat/Java EE WAR package. This is just a zip, so you can extract it pretty easily.

Once extracted, you want to find the .class file and toss this into a decompiler.

Here, you can find the vulnerability pretty clearly:

String[] cmd = { "/bin/sh", "-c", "ping -c 4 " + host };
Process process = Runtime.getRuntime().exec(cmd);

Well, that’s a pretty cut and dry command injection.

Lets first list what we know about SH scripts specifically, and what IP addresses/hostnames are supposed to be formatted as.

  • You can chain commands in a variety of ways, using special characters.
  • IP Addresses (both v4 and v6) have delimiters that can include both . and :. IPv6 can use both (it’s weird like that).
  • Hostnames can use periods, A-z, 0-9, and hyphens.

Incorporating all of these, we can create a regex to match. [A-z0-9.]+[^A-z-.=: \d][\\\^]?/i. This matches the following:

  • subdomain.domain.tld
  • fe80::0
  • fe80:0:01:021::0
  • domain.tld

But the key point, is that it will not match against any special character except: - . = : (space). These are the valid delimiters (= is due to the POST request value formatting.) for IP and hostnames. Any other can be considered an injection attempt.

I highly recommend using for writing regex. Immensely useful.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"pingpong vulnerability"; flow:to_server; content:"POST"; http_method; content:"/pingpong/Ping"; http_uri; content:"host="; pcre:"/host=[A-z0-9.]+[^A-z-.=: \d][\\\^]?/i"; classtype:web-application-attack; sid:1234560002;)