Academy | Command Injections - Skills Assessment

First click on the copy to on any file and copy it to the tmp folder.From there if u tried to (copy to) and move the file u will get the malicious request denied.I used burp and Network monitor( ctrl + shift + e ) when using network monitor right click on the GET request that led to Malicious request denied then it will open new request which u can modify and send it to see the result which will be on response.I injected the code after ‘to=’ . “to=tmp&from=tmp%2F51459716.txt&finish=1&move=1” this is the request that u will be modifying.The hint is to inject the code in the right place( so here we are doing mv tmp/51459716.txt tmp) 51459716.txt is the file i copied to tmp and tried to move. / , cat and space are blacklisted maybe there is others but those what u will need to make your code work.u can use the encoding method but make sure to change the space to ${IFS} also u can use cat but u need to modify the / and space.u can direct message me and i can help.

I created this payload and still mot able to move the flag.txt to tmp folder

Can you help me on this

This was a tough one.

Some tips about finding the payload to command inject

  • You can command inject in a GET not just a POST
  • Look at moving a file and see what happens.

Some tips I found when you find the file:

  • You can solve this without moving the flag at all.
  • You can read the file without even doing a base64.
  • If you use certain commands from “Blacklisted Command Bypass” you can actually get the command to print out the /flag.txt on the website (ie viewing render in burp to see it easily).
  • While a command from “Blacklisted Command Bypass” may block one command to view files, maybe you can see what other commands aren’t blocked…don’t assume cause bypass is blocked for a command they all are
  • There is a command that isn’t even blocked for reading a file and printing it’s contents. You just need to find it. (but you can still use Blacklisted Command Bypass to use other commands to read contents of a file)
  • You can copy the file if you would rather do that though. You will need to use Blacklisted Command Bypass to get round the copy command.

Tried everything nothing seems to be working, can you give me some more hints

i tried with: bash (base64) and encoded spaces and slashes
which contain after decode cat /flag.txt and all I get after putting this payload after to= or from= in burp

and try cp and mv and don’t have results but malicious code denied
I will appreciate your help :slight_smile:

I tried a lot and got stuck at one injection trick which says that the moving permission is denied. Any further insight you have for me on this, please.

Thank you @onthesauce for awesome help. You are nothing short of awesomeness. My two cents to whoever follows this post in search of hints to solve is that try every combinations and dont hesitate to add up your reply for more help. If you happen to use chrome to solve this assessment, solution may not show up on the page even after you had already solved it. As for me chrome was not showing any message from the server like ‘Access Denied’ or ‘File copy errors’ and so on. However, they were visible when I inspected it in the code inspector, went on to network tab and checked in the preview tab. It may be visible to you if you are using mozilla anyways.

1 Like

Took me a few hours but I finally got it.

Frustrating while doing it but once you get it its not that bad. My advice, like others have said, is to go down that table of URL-encoded injection characters they gave, and see what works in your injection point and see if you can ‘ls’. Then if nothing works, try a different injection point and try all the injection characters again. I used Burp Suite and clicked the Render view on the response to be able to read if my ls command was working or if i needed a different injection method. Once you get some response you know you are on the right track.

After that I used the shell and decode commands they gave previously to cat the flag.txt in the root dir

Please, I would appreciate If anyone could point me in a good direction. have been on this more than 24hrs.

Recommend focusing on one target parameter at a time to inject into there for initial detection. Variation of injection elements needed are covered in learning material. There’s more than one way get command injection there also.

1 Like

saved me a lot of time ty very much

Just got it. The first to do is to better understand how the command is being executing when clicking either on copy or move button. You do not need here to use burp here cause of the GET.

I just finished this last night. I wasted alot of time working in the wrong parameter. Once I shifted to another parameter I was able to get the proof of concept command to show me the user, and then modified that to get the flag. **Lesson learned

Simple way, really, even possible without IFS.
Just remember (or discover :stuck_out_tongue_winking_eye: in my case) that “mv /xx/yy/coucou.txt hello” will create a file named “hello” with the content of “coucou.txt” provided that there is no folder called “hello” already.

Can’t believe how simple it was by the end, so my advice to you is don’t try to over complicate it. And like someone else said work through the browser, not the repeater, it maked it much easier for me

1 Like

Just got it today after like 2 days of pulling my hair out lol super simple

HINT: I injected my code in the middle of the request, specifically in the $from= section of the request. Everything I used was in the cheat sheet with a bit of modifying a base64 payload

1 Like

bro im going to crush my head against the wall nothng seems to work just malicios request again and again

Yeah there are a lot of blacklisted characters and commands, I got my flag by modifying the GET request you receive when going through moving files on the web app. Using the l’s’ command I was able to view the contents of the folder in the error I mentioned earlier. From there I just kept modifying my payload to cat the flag.txt file

EDIT: Forgot to mention I modified the request in BURP using the repeater

could you post the image when you add l’s’

I don’t have any images unfortunately but first I injected URL encoded characters to find which was whitelisted, then added l’s’ to verify I had legit code execution in the error message rendered by the site

1 Like