LogCraft
LogCraft's health report generator accepts a custom title and shells out to produce the output. Double quotes are stripped — but that's not the only way to inject a subshell.
The Scenario
LogCraft is a log aggregation SaaS for engineering teams. One of its paid features is the Health Report generator, which produces a formatted summary of log volume, error rates, and active sources. The report is named with a custom title supplied by the user. The developer knew double quotes were dangerous inside a shell command, so they stripped them before passing the title in. The command wraps the title in double quotes — and inside double-quoted strings, backtick substitution still executes.
Challenge Intel
Synopsis
A log analytics SaaS whose report generator strips double quotes but leaves backtick command substitution completely open.
What It Is
LogCraft's Health Report feature passes a user-supplied title into a shell command after removing double-quote characters. The command wraps the title in double quotes — but unlike single quotes, double quotes still allow backtick command substitution to execute, so an unfiltered backtick lets you embed arbitrary command output directly in the report header.
Who It's For
Testers who have already completed a basic command injection and want to practise exploiting a partial filter. You should understand how shell quoting works before attempting this one.
Skills You'll Practice
- Shell quoting and expansion order
- Backtick vs $() command substitution
- Reasoning about what a character filter does and doesn't block
- Interpreting reflected command output inside application responses
What You'll Gain
- Practical experience with backtick injection as a quote-filter bypass
- Deeper understanding of shell evaluation order
- A reusable mental model for auditing partial input filters
- Confidence approaching challenges where an obvious payload is blocked