Cowsay as a Service (CaaS) — PicoCTF Walkthrough

Cowsay as a Service (CaaS) — PicoCTF Walkthrough
文章描述了一个CTF挑战中的漏洞利用过程：通过Cowsay as a Service（CaaS）网站的命令注入漏洞，在URL中注入Shell命令（如`ls`和`cat falg.txt`），成功获取服务器上的flag文件内容。 2025-10-4 07:37:55 Author: infosecwriteups.com(查看原文) 阅读量:31 收藏

Press enter or click to view image in full size

cowsay as a service

Hello everyone!

Welcome to my very first CTF walkthrough that I’m excited to share with you today. This particular challenge stood out to me as one of the more interesting ones, and I had a great time working through it.

So, without further ado, let’s dive into the solving process!

Challenge Overview

In this CTF challenge, we’re introduced to a quirky little web service called Cowsay as a Service (CaaS). The functionality is simple: whatever input we give in the URL, it will be displayed using the classic `cowsay` ASCII art format.

For example, visiting the following URL:
https://caas.mars.picoctf.net/cowsay/<message>

will result in:

How it works?

Looks innocent, right?

🕵️‍♂️ Time to Explore

The key part of the challenge lies in how the user input (`{message}` in the URL) is being handled. The fact that the text we pass in gets echoed in the output hints at potential command injection.

Given the use of backticks (`) is a feature in Bash command substitution, it’s worth testing to see if we can run actual shell commands through the input field.

Let’s try something simple:
https://caas.mars.picoctf.net/cowsay/`ls`

Output:

Infected input — `ls`

💥 Boom! — We just executed `ls` on the server! That means the input is being passed directly to a shell without sanitization.

🏁 Finding the Flag

From the directory listing above, we can see a file named `falg.txt`. It seems like a typo for `flag.txt`, but hey — CTFs love to keep us on our toes.

Let’s try to read it:

```
https://caas.mars.picoctf.net/cowsay/`cat falg.txt`
```

And the result:

Infected input — `cat falg.txt`

🎉 Flag Captured!🎉 Flag Captured!

What We Learned

Always test how user input is handled, especially in URL paths.
Command injection is a common web vulnerability — and a dangerous one if not mitigated.
Bash features like command substitution (` `) can be powerful tools in CTF challenges.

Final Thoughts

This was a fun and lighthearted challenge that combined humor with core cybersecurity concepts. The use of `cowsay` made it a bit more entertaining than your average command injection problem, and I really enjoyed solving it.

Thanks for reading, and stay tuned for more CTF walkthroughs!

文章来源: https://infosecwriteups.com/cowsay-as-a-service-caas-picoctf-walkthrough-0c102345eac0?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh