Academy | Command Injections - Skills Assessment

Hey can someone help me or do with me the Skills Assessment part! Im stuck at the beginning of this:( Pls write on this post or add me on discord: Black_Crow#8540

The Creator give me a hint and now i got it. Check all functions befor you dig deeper!

Could you (or anyone else :slight_smile: ) give me some other hint? Coz I found the post method but i don’t know what i should do with ajax and what I have to look at to see if i’m doing right or wrong. Thanks

I’m stuck on this also. I think I found that the Command Injection is on when you move the file to tmp and also the accepted character is &

Type your comment> @Gocka said: > I’m stuck on this also. I think I found that the Command Injection is on when you move the file to tmp and also the accepted character is & I did it. You’re on the way, & is the accepted command and you’ll have to use ${PATH0:1} and the ${LS_COLORS:10:1}

1 Like

hi friends im on the same, i put tmp&from=787113764.txt${LS_COLORS:10:1}${PATH:0:1}flag.txt&finish=1 but get the name of injected code on the html page, please give clue, thanks a lot!!!

i just completed this one - i found it a little tricky. I thought i’ll try to add fresh tips (well the things that were not obvious to me initially).

  1. The command injection can be a GET request - i was hunting for only POST requests (the AJAX post is not the answer!)

  2. Make sure you press every single icon on the site and complete processes they allow you to instigate. (Stupidly, I wasted a lot of time going in the wrong direction because i did not totally explore the site - its all in plain sight but i was not paying full attention.

  3. I used burb to inspect requests abd responses and inject the code - i think thats obvious. I didn’t need to inspect the code using firefox(crtl+U)

  4. You’ll know when you are getting close because the rendered webpage (in burb repeater) will start writing on the page ‘malicious request’. So when you are exploring you can write in the ‘raw’ requests such as ‘;ls’ to know if you are probing the right place. When you get the message then can start ob’f’usc’a’ting it ( <<<hint).

  5. Obvious but i’ll clarify (as I made this mistake initially) - you have to include ALL the original variables in the request else the site just resets to the landing page.

  6. The posts above say that you need to use ‘&’ and ‘LS_COLORS’ - i’m sure it works but i didn’t use either. I used || - just letting you know you have options.

Hope that is useful.

Goodluck.

2 Likes

hello @dstnat, i think you need find another way of pre-pending an injection character at the start of your code - the webpage is just parsing it as part of the address of the original code. I assume thats why its just being written on the screen and not executed. (I used ’ II ’ ).

1 Like

@johneverist , Thanks! Your post was very helpful! I was definitely banging my head against the wall. I think detection of the command injection was the hardest part.

To anyone still stuck on detection, click everything and send it to the repeater for testing. Then read #4 from johneverist.

If stuck on the command injection, t’r’y har’d’er. Or dm me and I will see if I can push you in the right direction.
-onthesauce

I guess the hardest part on this assessment is to find the where to inject the command. I am still trying to find where to inject command to at least to get the ‘malicious response’ and know I am on right track. so far, I only got bad request response

Just got my flag \o/
As it was said on previous message. Test everything on page.
Once you find the place to inject the command, test what is blocked and try one of the various trick showed on previous sections. it will help you.
Definitely, for me the hardest part was to find where to inject the command. after I found that, it was not that hard to get the flag :slight_smile:
Good luck all

1 Like

Still stuck on trying to find the injection point :tired_face:

maybee somebody can help me ?
i try move some file to tmp directory, but always have an error (((

I pulled out all my hair during this exercise. WIthout the specific hint to look for the string

within the >1000 lines HTTP-response, I would have never figured out any reaction to command injection attemps.

I can give one more recommendation:
Look for different ways to start a sub-shell, as neither && not || worked for me!

got it!

Thank you everybody, this topic helped a lot. Another hint, there are 3 fields with = that could be used on the injection. Make sure to test all of them.