Netcheck
Netcheck's network diagnostics tool lets customers run live connectivity checks from Netcheck's own servers. What else can you make it run?
The Scenario
Netcheck is a bootstrapped uptime-monitoring SaaS founded in 2021 by two ex-SRE friends in Lisbon, with about 800 paying teams on plans that start at $19/month. The Manual Diagnostics panel was a sales-led feature, built in an afternoon to close a deal with a customer who wanted "proof from outside our network," and it has been quietly earning revenue ever since. The annual customer audit lands in two weeks and the founders asked you to take a look first.
Challenge Intel
Synopsis
A network monitoring SaaS with an unfiltered shell command hiding behind a legitimate diagnostics feature.
What It Is
Netcheck's Manual Diagnostics panel fires a real ping from the server — user input goes straight into the shell with no sanitisation. The output is reflected directly in the browser, making this a clean introduction to OS command injection with no tricks or filters to bypass.
Who It's For
Anyone new to command injection who wants a pure, unobstructed first solve before tackling filtered or blind variants.
Skills You'll Practice
- Understanding how web applications execute OS commands
- Shell metacharacter basics (semicolon, pipe, ampersand)
- Reading raw command output returned in HTTP responses
- Recognising the difference between intended and injected output
What You'll Gain
- A confident first command injection solve on a realistic target
- Hands-on understanding of how unfiltered input reaches the shell
- Core payload vocabulary for injection escalation
- A mental model for spotting similar patterns in real-world code reviews