Showing posts from July, 2019

2019 Stonecutters - The Battle of Gettysburg

Here's our latest write-up for the secret Stonecutters challenge that we've code named "The Battle of Gettysburg." Somebody is Going to Get Parasites For this challenge we made use of a tool that automates OS command injection. Okay, let's get into it. Similarly to all of the other "Any Key" challenges, I registered my SSH key with the scoring server and I was able to connect to a web server on For more information about this CTF feel free to check out this post . The web server that loaded was a simple input field that indicated that I needed to check if a file existed and a submit button that said fire. Naturally, I tried /etc/passwd and here's what I saw: Hit! When I checked for "foo", I saw a message that said "missed." I then entered /flag.txt and got another hit. I tried really hard to find an LFI, and I also spent some time attempting to eke out a SQL error. However, commix was the