Academy, Advanced Command Obfuscation

Hi All, I’m on with the Advanced Command Obfuscation module
and I’m completely stuck on the exercise in the Case Manipulation
section. the exercise gives us the following command to manipulate:

$(a=“WhOaMi”;printf %s “${a,}”)

And I’m having no luck at all.

I don’t want to spill too much cos I don’t want to spoil, but I’ve used
%0a where I think it needs to go, the relevant ${LS_COLORS} to
replace ; and %09 for spaces. Which, when I send in Repeater gives
the response below:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.016 ms

— 127.0.0.1 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.016/0.016/0.016/0.000 ms

But no data regarding the whoami command.

I’ve tried leaving it for a bit and comming back to it but I’ve starting to
go around in circles and I’m sure I’m over thinking this now.

Please can anyone give me a pointer or some guidance, I can’t move
on until I nail this.

Thanks

Just for clarification here, are you stuck on the question at the end? Or have you already got that. I only ask because the question can be solved by other means.

I am not sure if the machine at the end is actually vulnerable to case manipulation or if they were just showing you an example.

***Edit: I was wrong about the above, it is susceptible to case manipulation, however, I don’t know if thats the best way to solve the question. ***
-onthesauce

Hi onthesauce, thanks for replying, it’s an exercise question in the
case manipulation part of the module, near the start of the module,
not the final assessment.

$(a=“WhOaMi”;printf %s “${a,}”)

Exercise: Can you test the above command to see if it works on your Linux VM, and then try to avoid using filtered characters to get it working on the web application?

It’s really stumped me.

Ta

Yeah I took a go at it, definitely beyond me. Please DM me if you figure it out!
-onthesauce

Thanks anyway, I’ll keep digging away at it, if I figure it out I’ll DM
you how I did it.

Ta
kippa

Hi onthesause, I did a bit more digging about with this command
and the only way i could get it to work was by base64 encoding it,
which I’m not sure if that was what HTB were after:

SPOILER

ip=127.0.0.1%0abash<<<$(base64%09-d<<<d2hvYW1p)

1 Like