Siemens Future Minds CTF — TimeTok

TimeTok was one of the challenges in Siemens Future Minds CTF. It was from the Web category and has the following description:


The vulnerability is inside the TimeModel class. It receives an $format variable to use it with the “date” command in order to run that command.

TimeModel is used inside TimeController. TimeController will retrieve a format from the user and initialize TimeModel, before running getTime()-function of TimeModel

As you can see the format-Parameter is user supplied, but never sanitized, which makes this web application prone to command injection.

Exploiting the vulnerability

In order to inject an arbitrary command, I have used a valid format parameter and injected my command after a “;”. Finally I have ended my input with a “#” sign. This starts a comment in bash command, which will ignore everything after the “#” sign. This is needed because after the injected payload there is still “‘ 2>&1”. The whole payload, which I have used is the following:

%H:%M:%S'; cat /flag; #

After submitting the request, I was able to retrieve the flag inside the HTML:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store