2019 Stonecutters - The Battle of Gettysburg
![Image](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJx_aAo0po_wXV_qv088GuFBDaL6aRTaI28-hi7WX83DeQF7sHsi_Z_DK64fjRWcpZ1woLQ7zmLX3oGxpuMOiA97bCDXByCFa409mBc7Cprg7GjnFth3fH5EZCpQkQ__aTISc26YpSA7_i/s320/Gettysburg+Reenactment.png)
Here's our latest write-up for the secret Stonecutters challenge that we've code named "The Battle of Gettysburg." Somebody is Going to Get Parasites For this challenge we made use of a tool that automates OS command injection. Okay, let's get into it. Similarly to all of the other "Any Key" challenges, I registered my SSH key with the scoring server and I was able to connect to a web server on 127.0.0.1:8080. For more information about this CTF feel free to check out this post . The web server that loaded was a simple input field that indicated that I needed to check if a file existed and a submit button that said fire. Naturally, I tried /etc/passwd and here's what I saw: Hit! When I checked for "foo", I saw a message that said "missed." I then entered /flag.txt and got another hit. I tried really hard to find an LFI, and I also spent some time attempting to eke out a SQL error. However, commix was the