Academy command injection skills assessment


I am trying to solve the Command Injection Skills Assessment.
I have tried the below payloads but I am unable to solve the issue. could anyone guide me to solve this.

Parameter: from
Payload: 696212415.txt&&w’h’o’am’i
$(rev<<<‘txt.galf/. tac’)

Error while moving: mv: missing destination file operand after ‘/var/www/html/files/696212415.txt’
Try ‘mv --help’ for more information.

You try to insert into a command like mv from to.

The Unix mv needs two arguments from and to. You must create an code injection which yield a valid mv command call followed by a command call you like to execute.

You can develop the needed arguments with a local bash. Like

mv $from $to

If the arguments for from and to worked local, then you can test the bash command injection on the server.

Hi Xtal,

Thank you for the information, I have solved the assessment.
Need to identify the working injection operator (|| or && or & or $() or :wink: and then find the proper payload to read the flag.txt (use o’bf’usc’at’ion or proper encoding and replace the filtered characters with environment variables or alternate characters)
Some time, the content of the flag.txt will appear with error message.


Hi Appsec,

Currently working on this one, just keep getting hit with 302s so not sure where any purchase is. Do you know if I can use either download, copy, or move - will intercepting and injecting any of these commands work, or is there a specific one that’s the way in and if so do you know why? Thanks!

@Appsec Your hints helped me to get “flag.txt” :grin:

Any tips about how to find the injection point?

the input parameter is the injection point

1 Like

Thanks, this hint helped me a lot.

After you identify the vulnerable api endpoint, you see the error message contains something you could control. then why not just put flag here? use technique you’ve learned before, it just works.

By the way, if you try to do something to some folder, then you could download the source code of this vulnerable application.

I need some help here…
Can anyone explain this…?

I need someone to point me in the right direction please, what am I doing wrong? or what do i need to do?

I’ve just completed it with a bit of help from the posts above.

You’re on the right track here with the injection point, which is why it’s throwing the “Malicious request” error. I had another look at the “Bypassing Other Blacklisted Characters” and played about with some of the parameters in there, putting them after “.txt” along with a payload.

Thanks, I wasted days before i could solve this and my subscription is expired for now

i am stuck at the finding flag.txt in command injection i have tried
and crafted it with different paylods for burp i am still not able to find it

nice one. felt a little overwhelmed at first coz wasn’t sure where i had to head. played around, and thought about the cp and mv commands and where i could inject something. then went one character by character to see what was allowed and what wasn’t. ultimately the payload took shape and i got the flag, after maybe 6/8 hours altogether? it’s actually not that hard, and everything needed is explained in the module (the bypass techniques), but requires some sit-downs and thinking.