Academy, Advanced Command Obfuscation

Hi All, I’m on with the Advanced Command Obfuscation module
and I’m completely stuck on the exercise in the Case Manipulation
section. the exercise gives us the following command to manipulate:

$(a=“WhOaMi”;printf %s “${a,}”)

And I’m having no luck at all.

I don’t want to spill too much cos I don’t want to spoil, but I’ve used
%0a where I think it needs to go, the relevant ${LS_COLORS} to
replace ; and %09 for spaces. Which, when I send in Repeater gives
the response below:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.016 ms

— 127.0.0.1 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.016/0.016/0.016/0.000 ms

But no data regarding the whoami command.

I’ve tried leaving it for a bit and comming back to it but I’ve starting to
go around in circles and I’m sure I’m over thinking this now.

Please can anyone give me a pointer or some guidance, I can’t move
on until I nail this.

Thanks

2 Likes

Just for clarification here, are you stuck on the question at the end? Or have you already got that. I only ask because the question can be solved by other means.

I am not sure if the machine at the end is actually vulnerable to case manipulation or if they were just showing you an example.

***Edit: I was wrong about the above, it is susceptible to case manipulation, however, I don’t know if thats the best way to solve the question. ***
-onthesauce

Hi onthesauce, thanks for replying, it’s an exercise question in the
case manipulation part of the module, near the start of the module,
not the final assessment.

$(a=“WhOaMi”;printf %s “${a,}”)

Exercise: Can you test the above command to see if it works on your Linux VM, and then try to avoid using filtered characters to get it working on the web application?

It’s really stumped me.

Ta

Yeah I took a go at it, definitely beyond me. Please DM me if you figure it out!
-onthesauce

Thanks anyway, I’ll keep digging away at it, if I figure it out I’ll DM
you how I did it.

Ta
kippa

Hi onthesause, I did a bit more digging about with this command
and the only way i could get it to work was by base64 encoding it,
which I’m not sure if that was what HTB were after:

SPOILER

4 Likes

This has been killing me for so long. Does everyone else skip this, or is the solution that simple and easy, and I’m just beating my head against the wall uselessly?

1 Like

The solution is rly that simple - just see which of the 3 methods was discussed - and don’t overcomplicate it.

Anyone here able to figure this out? I attempted the same thing that @kippa did, but not getting any output related to the whoami command.

I spent a long time with this challenge
Finally I solved it
Here is a hint:
use these two techniques

$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")

Exercise: Can you test the above command to see if it works on your Linux VM, and then try to avoid using filtered characters to get it working on the web application?

Solution :
The Semicolon can be considered a new line so its replaced by %0a = New Line
&
The space are replaced by ${IFS}

so basically i figured it out:

apparently when you copy paste the command like (i assume) everyone did… i spent 3 hours until i figured out… that it leaves a newline like when you hit enter in the burp request… this causes the injection not to load… i tried everything until it worked here is the payload:

Summary

127.0.0.1%0a$(a=“WhOaMi”%0aprintf%09%s%09"${a,}")

you are welcome

1 Like

Dude you are GOAT. Thanks!!