Dangerous Comment | CyberStart Completion

Dangerous Comment


One of the Yakoottees, Haruka, recently created a site where she posts photos of her favourite cars. We think it might be a front to store files containing their plans to break into the Superspin factory. Each page has a form on it where you can post comments. Try and use the form on this particular page to use command injection and find any files hidden in the same directory. Remember, to inject code you need to include two commands by including a semi-colon.

Tip: One of the files has the flag in it.


Try using a semi-colon in the comment box, followed by the code you want to run. So, perhaps try ;ls first to get a list of files.

How to Solve:

  1. In the comments box, type ';ls -a to get a list of files in the directory.
  2. Check each file’s content with ';cat <file name>, one of them will have the flag, the flag should be in escape_plan.txt.
  3. Running ';cat escape_plan.txt will reveal the flag.