Hello everyone! It's Omar (aka キ Mushroom).
Welcome to this short write-up for the Vending Machine challenge from the CyCTF 2024 qualifications.

Let's get started!

We are provided with a single page with an input

Writing anything and capturing the request with burp.

My goal was to trigger an error, so I tested multiple characters until I got an error when I entered NULL Byte: %00.

We notice our payload is getting passed into shell_exec function. We have a command injection.

Playing around a bit, I got the flag stored in an environment variable. Payload: anything; env

That's it! Don't forget to check out my other Write-up on SMS Challenge

See you in the next one!