Hi All, I’m on with the Advanced Command Obfuscation module
and I’m completely stuck on the exercise in the Case Manipulation
section. the exercise gives us the following command to manipulate:
$(a=“WhOaMi”;printf %s “${a,}”)
And I’m having no luck at all.
I don’t want to spill too much cos I don’t want to spoil, but I’ve used
%0a where I think it needs to go, the relevant ${LS_COLORS} to
replace ; and %09 for spaces. Which, when I send in Repeater gives
the response below:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.016 ms
— 127.0.0.1 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.016/0.016/0.016/0.000 ms
But no data regarding the whoami command.
I’ve tried leaving it for a bit and comming back to it but I’ve starting to
go around in circles and I’m sure I’m over thinking this now.
Please can anyone give me a pointer or some guidance, I can’t move
on until I nail this.
Just for clarification here, are you stuck on the question at the end? Or have you already got that. I only ask because the question can be solved by other means.
I am not sure if the machine at the end is actually vulnerable to case manipulation or if they were just showing you an example.
***Edit: I was wrong about the above, it is susceptible to case manipulation, however, I don’t know if thats the best way to solve the question. ***
-onthesauce
Hi onthesauce, thanks for replying, it’s an exercise question in the
case manipulation part of the module, near the start of the module,
not the final assessment.
$(a=“WhOaMi”;printf %s “${a,}”)
Exercise: Can you test the above command to see if it works on your Linux VM, and then try to avoid using filtered characters to get it working on the web application?
Hi onthesause, I did a bit more digging about with this command
and the only way i could get it to work was by base64 encoding it,
which I’m not sure if that was what HTB were after:
This has been killing me for so long. Does everyone else skip this, or is the solution that simple and easy, and I’m just beating my head against the wall uselessly?
Exercise: Can you test the above command to see if it works on your Linux VM, and then try to avoid using filtered characters to get it working on the web application?
Solution :
The Semicolon can be considered a new line so its replaced by %0a = New Line
&
The space are replaced by ${IFS}
apparently when you copy paste the command like (i assume) everyone did… i spent 3 hours until i figured out… that it leaves a newline like when you hit enter in the burp request… this causes the injection not to load… i tried everything until it worked here is the payload: