Academy | Command Injections - Skills Assessment

So I did it, but I don’t know exactly which command was the one that worked. The flag.txt only appeared on the /tmp webpage after refreshing it. At the time I was trying another method using Burp to capture the packet(s) when copying and/or moving a document to the main page after it was moved to the /tmp page. Moving any document back to the main page caused the ‘malicious request denied’ message alert, but it did allow the document to be copied to the main page if it had originally been moved to /tmp.

I also get the following message alerts a lot: “bash: /flag.txt: Permission denied”, and the "Error while moving: mv: missing destination file operand after ‘/var/www/html/files/’ ". I’ve mainly been using the ||, && methods, but have tried various other URL-Encoded characters, and also injecting the input in the middle of the command rather than at the end, but all to no avail.

If anyone is able to point me in the right direction, I would greatly appreciate it! Also, PM me if you want to exchange more detailed methods/ideas that we shouldn’t post here.

Finally found the code injection that got the flag.txt to appear on the /tmp page, and I respawned the server to double check and make sure it was right.

What did it was finding which URL-Encoded characters worked, where to input them, and most importantly, refreshing the /tmp webpage to see if the flag.txt appeared even though an error appeared under the “message alert” in Burp. I incorrectly assumed the error meant that the command was unsuccessful, oops…

Hi,

You have to find a Command Injection Method (||), from there t’r’y different bypass methods. Using and bypass method for / should work.

I have already solved that a long time ago.
Thanks anyhow :slight_smile:

Hello there,

Can you please give me a hint ?
i tried:
to=tmp&from=605311066.txt%7c%7cls&finish=1&move=1
to=tmp&from=605311066.txt%7c%7cl's'&finish=1&move=1
to=tmp&from=605311066.txt%7c%7cwh'o'a'm'i&finish=1&move=1
I am getting the message “Malicious request denied” but i cant find anywhere in the code the response for the “ls” or “whoami” command in order to continue further.
Am i missing something ?

You have to check the denied characters. In your case the %7c (|) character is blacklisted, and you mustn’t use it, try with another type of injection

Well i found that %26%26 (&&) is not blocked but i can’t see the ls output.
I am getting the “error while moving”, instead of the “malicious request”, i am injecting a command (l’s’) but no luck finding the ls command output.

I used this:
GET /index.php?to=tmp&from=787113764.txt1%26%26l's'&finish=1&move=1

In my case i didn’t use the && because it is interpreted as the GET request parameter. I recommend you try to bypass with another character.

Thank you. Your instructions helped me to solve the assessment.

image

I cannot represent / using ${PATH:0:1}

I used too this:
%26%26s’h%09<<<$(rev<<<“txt.galf/%09tac”)

But I dont know why i cannot get flag, and this payload is triggered as malicious. Anyone could help me with that? Thx

Every time I spawned the target, it was normal at first. After a few seconds, I can’t connect to the target.
image

Only a few seconds after spawned the target,I can’t connect to the target. I scan the given port and it shows that the port is closed.I have tried pwnbox, but still meet the same problem.
Anyone could help?Thx

I think this box might spawn with slightly different parameters for each person Because || and | always came back as malicious for me, and in Naivenom’s screenshot, it looks like the command is being executed with sh whereas for me it was using bash. Also I never got anywhere with <<<. I did end up using ${LS_COLORS} and ${PATH}. I think it might be based on IP, as the rules always seemed to stay the same even when I reset the box. Could probably test this with a VPN but I don’t feel like it.

If you’ve scrolled down this far you’re probably pretty stuck, here’s what I have to add:

johneverist’s tips are very good. Use them.

Number one thing, don’t get stuck thinking you have to use anyone’s exact syntax. As I said, I think this might change person to person.

Find the injection point, you’ll know you’re getting close when you get ‘malicious request detected’, but only for certain inputs. There is another spot on the site where this will be returned every time. Do not be fooled.

Methodically go through and figure out what syntax is allowed for you, write it down, make a list. Write down exactly what error you get for each string you send through, there could be clues there.

Try to get ‘ls’ working, so you can find where the flag.txt is

I’d recommend actually using the buttons on the site and just intercepting them with Burp/ZAP, rather than using repeater, so you can actually see the results on the site. It’s slower, but I think I would have missed some things if I was just using repeater.

One thing I haven’t seen people mention here is `` these things. They’re pretty cool. Just sayin.

%26%26s’h%09<<<$(rev<<<“txt.galf/%09tac”) could be flagged as malicious because of the ‘/’. Slash was blacklisted for me. Also you probably can still use ${PATH:0:1}, sometimes certain payloads would get reflected back at me as well, even though I could use the strings in them. Maybe try a little more obfuscation around your commands. Most commands are blacklisted on this box.

@kkkkkkk some of the target machines are pretty complex, after you spawn the target it may take up to 5 or 10 minutes to actually deploy the docker instance. I know it gives you the IP address right away. But give it time. Some of the WordPress and Session Security exercises seem to take forever to load. These things are not instantaneous. Just give it a few more seconds to load lol.
-onthesauce

Can you possibly help me too? I’ve been battling with this for days.

So far I’ve discovered that all the operands except && are blocked (ie. ; | \n)

A sub shell is possible and ${PATH:0:1} works for /. However, LS_COLORS doesn’t exist so I can’t get a ; from that.

I’ve tried 877915113.txt$(tr${IFS}‘!-}’${IFS}‘"-~’<<<:) to try and get a ; - I don’t get a Malicious error, I just get “Error While Moving:” and no filename or anything further.

Right now I’m just trying to execute the ls command, but I’m getting nowhere. I feel like there is something simple I’m missing?

Ok so I’ve been banging my head against a wall here.

Every operand except && seems to be blocked. A sub shell is possible, so I started fiddling with sending bash commands encoded in base64.

I tried an ls payload at first, and got index.php and config.php as the only extra files visible. Now for the weird part, when I send a payload like this, it breaks the website. I can’t send a new payload and if I go back to the website IP I get this:

Screenshot from 2022-11-06 12-15-31

The payload looks like this:

?to=tmp&from=696212415.txt$(bash<<<$(base64${IFS}-d<<<bHM=))

I can read the config file and any attempt to move any of the files after this results in a Malicious error. To try another payload I have to restart the server. I’ve tried a payload to cat flag.txt as well but it responds with ‘flag.txt:no such file or directory’. The server breaks and needs to be restarted after that. The flag payload contains ‘cat flag.txt’ encoded in base64:

?to=tmp&from=696212415.txt$(bash<<<$(base64${IFS}-d<<<Y2F0IGZsYWcudHh0))

Any help would be greatly appreciated!

Hey dude,

It sounds like you are going hella above and beyond for this challenge. You look to be in the right place, but you shouldn’t need all the advanced payloads that you are trying to use. Feel free to DM me and I will see if I can point you in a better direction.
-onthesauce

I’m scratching my head as well :slight_smile:

I’ve found the injection point and trying to move the /flag.txt file to the /tmp folder but I’m getting Permission denied message while moving.

Exact: “Error while moving: mv: cannot move ‘/flag.txt’ to ‘/tmp/flag.txt’: Permission denied”

Strange thing is that I also don’t see any output when I make a obfuscated ls command.

If anyone can send help me in the right direction?