John Hammond | Sunday, December 13th, 2015
Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...
If you browse to the web page and click on any of the options, you'll notice that the URL changes with a handle.php file that determines what action you are doing.
We need to try and get to the the 'Shutdown & Turn Off' action. Could it be simple enough to just go to that location? Try it: [http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown & Turn Off](http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown & Turn Off)
I get the error
Unsupported action: Shutdown
Do you see what is happening here? The ampersand is not being processed by the URL. That is because it is a special character that must be escaped for URLs. We can solve this really easily with the urllib module in Python. It includes a [quote] function that will URL encode any string we give it.
>>> import urllib
>>> urllib.quote('Shutdown & Turn Off')
'Shutdown%20%26%20Turn%20Off'So our ampersand was encoded to %26. You'll notice our spaces were encoded to %20, as well, but normally web browsers can handle those just fine. Either way, Python did all the hard work for us, and we can just throw that at the website.
Go to the URL http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown%20%26%20Turn%20Off and receive your flag!
Submit: flag_c49bdkeekr5zqgvc20vc