
routarded starts you out with a hint in the challenge description that the target webpage is a router with default credentials. After trying a bunch of default router combinations, @jonathansinger found a working combination of <blank>:admin. This pops you into the management site of this fake router, which has a promising diagnostics page.


We went straight for command injection by inputting 127.0.0.1 & ls to try to get the “router” to execute ping 127.0.0.1 & ls , but we found out that things get messed up along the way. There’s some input santitization going on (presumably with JavaScript) that removes spaces and ampersands.

Rather than dealing with disabling JavaScript or something, I started Firefox and connected it to Burpsuite, fixing the request as it got sent out to work around the problem altogether.


Looks like there’s a file called flag. Let’s try to read it out by submitting 127.0.0.1 & cat flag and fixing it with Burp.

Additional credit for solving this challenge goes to @jonathansinger.