□ Goal : Excute the getflag command with flag07 account and check the message "You have successfully executed getflag on a target account"
□ Analysis of the source code
○ The `ping -c 3 $host 2>&1`; performs ping test and stores the result in the @output array. And the result is all printed in the foreach
○ The source code is driven through the web server
□ Vulnerability
○ The last line "param("Host")" uses the user's input as a function argument without any filtering
There is the thttpd.conf file In the directory(/home/flag07). The thttpd service seems to be running. You can check the port number and permissions by opening it. The service port number is 7007 and the authority is flag07. As a precaution, the thttpd service will be terminated after a certain period of time after running nebula, so you should solve this level quickly.
You can check the results of the ping test by inserting data into the Host parameter in your web browser. However, since this program uses the value of the Host parameter without filtering, you can execute the getflag command with the flag07 account by inserting(%3B==;) as above.