picoCTF caas (Cowsay as a Service)- Best Writeup

Challenge Name: caas Author: BrownieInMotion Category: Web Exploitation Vulnerability Type: Remote Code Execution (RCE) / Command Injection

xrabbit

~2 min read · December 30, 2025 (Updated: December 30, 2025) · Free: Yes

Challenge Description

The caas challenge presents Cowsay as a Service, where user input is passed to a backend Node.js Express application that executes the cowsay system command and returns the output.

Root Cause of Vulnerability

The application uses the Node.js child_process.exec() function with unsanitized user-controlled input (check the index.js file) :

exec(`/usr/games/cowsay ${req.params.message}`)

Because exec() invokes a system shell, any input provided via req.params.message is interpreted by the shell. This creates a command injection vulnerability, leading directly to Remote Code Execution (RCE).

Impact

Execution of arbitrary system commands
Reading sensitive files (e.g., flags in CTF environments)
Full compromise of the application container.

Now Use "cat" command to view the falg.txt

#caa #picoctf #medium #remote-code-execution #picoctf-caas

picoCTF caas (Cowsay as a Service)- Best Writeup

Challenge Name: caas Author: BrownieInMotion Category: Web Exploitation Vulnerability Type: Remote Code Execution (RCE) / Command Injection

Challenge Description

Root Cause of Vulnerability

Impact

Reporting a Problem