This is my solution to the McAfee ATR Hax 2021 web challenge A DNS Query To Rule Them All! You are provided with a website hosting a very basic nslookup web app.
Clicking submit returns output that looks like that of the nslookup command line tool, run on the website parameter. Could that parameter be injectable?
Begin by seeing if we can find the flag. Easiest place to start might be using the ls command to see if we can list the contents of the current directory.
Sure enough, that works and lists the contents of the current directory as:
dns_get.php flag.txt index.html status.html
It’s a simple enough task now to replace “&ls” with “&cat flag.txt” in the injectable website field to retrieve the flag: