Academy | Command Injections - Skills Assessment

First click on the copy to on any file and copy it to the tmp folder.From there if u tried to (copy to) and move the file u will get the malicious request denied.I used burp and Network monitor( ctrl + shift + e ) when using network monitor right click on the GET request that led to Malicious request denied then it will open new request which u can modify and send it to see the result which will be on response.I injected the code after ‘to=’ . “to=tmp&from=tmp%2F51459716.txt&finish=1&move=1” this is the request that u will be modifying.The hint is to inject the code in the right place( so here we are doing mv tmp/51459716.txt tmp) 51459716.txt is the file i copied to tmp and tried to move. / , cat and space are blacklisted maybe there is others but those what u will need to make your code work.u can use the encoding method but make sure to change the space to ${IFS} also u can use cat but u need to modify the / and space.u can direct message me and i can help.

I created this payload and still mot able to move the flag.txt to tmp folder

Can you help me on this

This was a tough one.

Some tips about finding the payload to command inject

  • You can command inject in a GET not just a POST
  • Look at moving a file and see what happens.

Some tips I found when you find the file:

  • You can solve this without moving the flag at all.
  • You can read the file without even doing a base64.
  • If you use certain commands from “Blacklisted Command Bypass” you can actually get the command to print out the /flag.txt on the website (ie viewing render in burp to see it easily).
  • While a command from “Blacklisted Command Bypass” may block one command to view files, maybe you can see what other commands aren’t blocked…don’t assume cause bypass is blocked for a command they all are
  • There is a command that isn’t even blocked for reading a file and printing it’s contents. You just need to find it. (but you can still use Blacklisted Command Bypass to use other commands to read contents of a file)
  • You can copy the file if you would rather do that though. You will need to use Blacklisted Command Bypass to get round the copy command.

Tried everything nothing seems to be working, can you give me some more hints

i tried with: bash (base64) and encoded spaces and slashes
which contain after decode cat /flag.txt and all I get after putting this payload after to= or from= in burp

and try cp and mv and don’t have results but malicious code denied
I will appreciate your help :slight_smile:

I tried a lot and got stuck at one injection trick which says that the moving permission is denied. Any further insight you have for me on this, please.

Thank you @onthesauce for awesome help. You are nothing short of awesomeness. My two cents to whoever follows this post in search of hints to solve is that try every combinations and dont hesitate to add up your reply for more help. If you happen to use chrome to solve this assessment, solution may not show up on the page even after you had already solved it. As for me chrome was not showing any message from the server like ‘Access Denied’ or ‘File copy errors’ and so on. However, they were visible when I inspected it in the code inspector, went on to network tab and checked in the preview tab. It may be visible to you if you are using mozilla anyways.

1 Like

Took me a few hours but I finally got it.

Frustrating while doing it but once you get it its not that bad. My advice, like others have said, is to go down that table of URL-encoded injection characters they gave, and see what works in your injection point and see if you can ‘ls’. Then if nothing works, try a different injection point and try all the injection characters again. I used Burp Suite and clicked the Render view on the response to be able to read if my ls command was working or if i needed a different injection method. Once you get some response you know you are on the right track.

After that I used the shell and decode commands they gave previously to cat the flag.txt in the root dir

Please, I would appreciate If anyone could point me in a good direction. have been on this more than 24hrs.

Recommend focusing on one target parameter at a time to inject into there for initial detection. Variation of injection elements needed are covered in learning material. There’s more than one way get command injection there also.

saved me a lot of time ty very much

Just got it. The first to do is to better understand how the command is being executing when clicking either on copy or move button. You do not need here to use burp here cause of the GET.