picoCTF Solutions
picoCTF 2026General SkillsMedium

ping-cmd

Published: March 20, 2026

Description

Can you make the server reveal its secrets? It seems to be able to ping Google DNS, but what happens if you get a little creative with your input?

Setup

Launch the challenge instance and open the web interface.

The site accepts an IP address and runs ping against it.

Solution

  1. Step 1Identify the injection point
    The web app takes a user-supplied IP and passes it directly to the shell's ping command without sanitisation. This allows command injection by appending shell operators.
  2. Step 2Inject a command to read the flag
    Enter a payload that terminates the ping command and appends cat on the flag file. Use semicolon or pipe as the separator.
    8.8.8.8; cat /flag.txt
    8.8.8.8; ls /
    8.8.8.8; find / -name flag.txt 2>/dev/null
  3. Step 3Read the flag output
    The server executes the injected command and returns the output in the page response, revealing the flag.

Flag

picoCTF{c0mmand_1nj3ct10n_...}

The flag is revealed directly in the ping output after command injection.