Security · 1h ago
HackTheBox 'Void Whispers' Writeup: Command Injection via Unescaped Shell Input
A PHP mail-settings panel passes user input directly to shell_exec() without escaping, allowing arbitrary command execution. The filter only blocks spaces, which is bypassed using bash's ${IFS} variable. Attackers can read and exfiltrate /flag.txt via timing delays and out-of-band callbacks.
Meridian48 take
This writeup is a practical demonstration of a classic injection flaw, but the real-world relevance is limited to CTF challenges—production apps rarely expose such trivial escapes.
command-injectionctf-writeup