easy

Level 5: Server Fingerprinting (No Server Header)

Recon

Challenge Description

The origin hides its Server header. Determine which web server powers this app anyway.

Objective

A network diagnostic tool executes ping with user input. Chain additional commands to retrieve the flag.

What you'll learn
  • How shell commands can be chained
  • Command injection via special characters
  • Why input validation is critical for system calls
Need a Hint?
Trigger a server-generated error (e.g., 405 at /probes/methods) to fingerprint behavior.

Common command separators:

; - sequential
&& - execute if previous succeeds
| - pipe output
` - command substitution
$() - command substitution

Try: localhost; whoami

Network Diagnostics Tool

Ping any host to check connectivity
Vulnerable Code
$host = $_GET['host'];

// VULNERABLE: Direct execution without validation
$output = shell_exec("ping -c 2 $host");

echo $output;
Never pass user input directly to shell commands! Use whitelists and escapeshellarg().
Safety Note: This is a safe simulation. No actual system commands are executed. In production, this vulnerability would allow full system compromise.