Academy | Command Injections - Skills Assessment

thank you to everyone who contributed in providing tips you all were very helpful. my piece of advice would try and get an error in your burp requests that gives you an idea of what commands are being ran in what syntax while messing around with the different feilds of injection. once youve got the syntax then all you need to do is bypass filters and find the proper payload.

I found a way to move files, I can even move .php into /tmp folder, however the app is not allowing me to move /flag.txt at all, I can jump back and forward into directories and move index.php at will, but not /flag.txt, it is frustrating

/flag.txt is locked and has no move permission, only copy permission…

I am unable to get the flag.txt.

I’ve tried to copy it:

Click to reveal spoiler

I’ve tried to cat it:

Click to reveal spoiler

I’ve tried to move it but got a permissions error.

I’ve managed to print the error on the page itself when I put the payloads in the “to” field instead of the from field but it still does not print the flag

I’ve tried many variations of these payloads but none are working. I’ve been stuck on this for 3 days now.

Any assistance will be appreciated.

what is the command if i may ask

I tried to follow your directions, but I keep getting “Folder is empty” in the File Manager using Burp Suite Repeater

Here is what I tried (Spoiler)

I tried both move and copy, url encoded ‘<<<’ (%3C%3C%3C), used to=tmp and without tmp. I’m not sure what I’m doing wrong.


You’re almost there. You don’t really need the part after the base64 code (%26from=51459716.txt%26finish=1%26move=1

After to= the encoding is incorrect. Try %7c***bash<<< instead. (Replace *** with the encoded characters). You don’t have to encode <<< either.

1 Like

Thank you very much! It took a day to figure out your hint but I finally got it. Much appreciated. Looking back now, I can’t believe I struggled so much on this one.

Good job! We all struggle. That’s the way to learn.

Awesome challenge so far, I have to agree with others that the biggest hustle was finding where to inject command. There is no need to base64 encode anything if you don’t want. Feel free to PM me if you are stuck.

I messed up by having burp running and not the whole website loaded. Remember to disable burp when you visit the website for the first time :slight_smile:

Can anyone help me out, not sure where I’m going wrong. I have read hints from previous posts but still cant get it. here is what I’ve done:

I have tried variations of #3 where I URL encode <<< with no luck

I am getting the error Error while moving: mv: and ‘t’ are the same file this is the unecoded version

this is the whole thing
where am I making a mistake

did you figure it out mate

You are in the right direction, before click on Move you must select tmp, after you can select Move and the URL will change like that


Now you can try to inject your payload, try to put another sub-shell before bash and try different operators,‘&’ ‘&&’ ‘|’ ‘||’ ‘$()’ ‘``’

still struggling also what did you mean with sub-shell

Wow this was difficult. I finally got the flag. It was a lot more simple than I thought. I heard others get the flag with different methods but my method was relatively simple.

1.Find where to inject, intercept move request with burp.
2.Look for "malicious request denied! message in response, that means you are injecting in the correct request .
3. Look for “error” in responses, they give valuable info about what is happening when you inject stuff.
4.It is possible to read the flag without uploading flag.txt to /tmp directory or anywhere else, you can read it straight from the Response message in burp repeater.
5.It is not necessary to use sub shells, encoding, reversing words or using case manipulation.
6.I personally injected after from=filename.txtHERE
7.The only techniques I used were “bypassing blacklisted commands” , “bypassing blacklisted characters” and “bypassing space filters”. I solved this challenge with information only from these three modules.
8.I looked and monitored error messages in responses which ultimately led to my success, I was failing because the injection parameter I was using worked only if the first command succeeded, I realized from response that the first command failed “Error while moving: mv: cannot stat 'var/www/html/files/2143214.txt : No such file or directory” and changed my injection parameter(from “Detection” lesson) and immediately was successful.

Hope this helped. I spent 4 hours on this and did not stand up from the computer once :smiley:
Good luck!


Throwing my tips here since I found a cheeky way of doing this flag using mostly what you get in lesson “Bypassing Other Blacklisted Characters”. Here’s the deal, the default move command is like mv src dest… Now, HTB’s hint says it’s easier to inject at the end rather than the middle. Actually if you do both you get a quick and easy way…

Start like this: try to move the flag to /tmp, it won’t work but you will get a valuable error message. Now what would happen if you would run a command like: mv source /var/www/html/tmp$(head -n 1 /etc/passwd) ? You’d get the first line of /etc/passwd in the path itself. Try to adapt this to the assessment, it doesn’t require anything advanced, no base64 encoding or reversing… all you need to use is PATH, IFS and bypass a blacklisted command

1 Like

thanks you help me so much

Solved it with your way fairly simple, thanks