Academy | Command Injections - Skills Assessment

Hey can someone help me or do with me the Skills Assessment part! Im stuck at the beginning of this:( Pls write on this post or add me on discord: Black_Crow#8540

The Creator give me a hint and now i got it. Check all functions befor you dig deeper!

Could you (or anyone else :slight_smile: ) give me some other hint? Coz I found the post method but i don’t know what i should do with ajax and what I have to look at to see if i’m doing right or wrong. Thanks

I’m stuck on this also. I think I found that the Command Injection is on when you move the file to tmp and also the accepted character is &

Type your comment> @Gocka said: > I’m stuck on this also. I think I found that the Command Injection is on when you move the file to tmp and also the accepted character is & I did it. You’re on the way, & is the accepted command and you’ll have to use ${PATH0:1} and the ${LS_COLORS:10:1}

1 Like

hi friends im on the same, i put tmp&from=787113764.txt${LS_COLORS:10:1}${PATH:0:1}flag.txt&finish=1 but get the name of injected code on the html page, please give clue, thanks a lot!!!

i just completed this one - i found it a little tricky. I thought i’ll try to add fresh tips (well the things that were not obvious to me initially).

  1. The command injection can be a GET request - i was hunting for only POST requests (the AJAX post is not the answer!)

  2. Make sure you press every single icon on the site and complete processes they allow you to instigate. (Stupidly, I wasted a lot of time going in the wrong direction because i did not totally explore the site - its all in plain sight but i was not paying full attention.

  3. I used burb to inspect requests abd responses and inject the code - i think thats obvious. I didn’t need to inspect the code using firefox(crtl+U)

  4. You’ll know when you are getting close because the rendered webpage (in burb repeater) will start writing on the page ‘malicious request’. So when you are exploring you can write in the ‘raw’ requests such as ‘;ls’ to know if you are probing the right place. When you get the message then can start ob’f’usc’a’ting it ( <<<hint).

  5. Obvious but i’ll clarify (as I made this mistake initially) - you have to include ALL the original variables in the request else the site just resets to the landing page.

  6. The posts above say that you need to use ‘&’ and ‘LS_COLORS’ - i’m sure it works but i didn’t use either. I used || - just letting you know you have options.

Hope that is useful.

Goodluck.

hello @dstnat, i think you need find another way of pre-pending an injection character at the start of your code - the webpage is just parsing it as part of the address of the original code. I assume thats why its just being written on the screen and not executed. (I used ’ II ’ ).