Academy - WEB ATTACKS module - Bypassing Security Filters

HTB Content Academy
1

Hi,
I have a strange problem - I’m unable to complete one of the sections for web attack module.
I’ve almost finished all sections, but one called ‘Bypassing Security Filters’. It is simply is not working for me at all. I suspect there is some bug or misleading in the section description. So, I’d like to ask someone for PM to check, if their approach is the same and if it works for them.

The Problem:
I can’t bypass the BE filter to do command injection in any way (I tried all HTTP methods)

I used the task description as a lead how I tackle the problem. It usually works ok most of the time without breaking the flow. But this one is a) misleading b) there is a bug.

Content of the task description:
To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./

So e.g. I tried literally (encoded and non-encoded versions)
GET /index.php?filename=file%3bcp+/flag.txt+./
POST /index.php?filename=file%3bcp+/flag.txt+./

Same for different filenames
Basically this is what I expect e.g. should work
HEAD /index.php?filename=file%3b → (or decoded /index.php?filename=file; )

Other info:
I tried HTB support, but that was not helpful at all. I’m not even sure if they understood what is my problem.

That exercise is clear to me. I understand the content and aim for the exercise. Basically I need to switch HTTP method to different one and content for the payload won’t be checked due to insecure coding approach. … At least that is what I expect from the exercise according to its content and the task description.

Why broken?
My assumption that it gets broken for me is based on the different behavior - observed by myself vs described in the source material

e.g. My initial triggering method for uploading the file in the exercise machine is GET, not POST. But content of the code from the exercise is this (taken from section Verb Tampering Prevention)

if (isset($_REQUEST['filename'])) {
    if (!preg_match('/[^A-Za-z0-9. _-]/', $_POST['filename'])) {
        system("touch " . $_REQUEST['filename']);
    } else {
        echo "Malicious Request Denied!";
    }
}

Now, when I try something really simple - e.g.
POST / HEAD/ PUT etc /index.php?filename=file%3b
file won’t be created, and I see Malicious Request Denied! but it should pass. Whole exercise is focused on HTTP verb tambering - not code injections. So I assume this simple example should be ok according to the section desc.

Can somebody tackle it together with me?

1 Like
2

Hey dude,

Definitely feel free to reach out to me. Out of curiosity, when you change the request method from GET to POST, are you also changing how you deliver the data?

When I look at both of these, the POST request would be wrong because it shouldn’t have the parameters in the url like that, make sure that you right click and use the change request method because it automatically formats it. Or you would have to manually put the parameters after the header and scrub them from the top.

Regardless, feel free to reach out.
-onthesauce

10 Likes
3

Man, thanks you from my hearth :slight_smile: that was the issue. I was not aware of it and I assumed the same format. Solved :slight_smile:

This may be possibly the thing I missed in the ‘skill assessment section’. Great hint!

2 Likes
4

No problem at all! I think I hit the same issue when I attempted that question.

Glad you got it!
-onthesauce

5

In repeater, right click the request and hit “Change request method.”

So simple, yet it stumped me for a bit!

John

2 Likes
6

That’s wild that such a handy tool wasn’t mentioned in the lesson. I was trying to manually format the request as a post request by just moving the params to the body, but it still didn’t work. Guess I need to freshen up on common formats for the different verbs. Looking at it now I was missing the content-type and some other headers that were needed to make it work. Thank you @onthesauce!

1 Like
7

Wow felt like such an idiot when I saw this haha thanks for the help onthesauce

1 Like
8

I noticed this one doesn’t get formatted correctly when using ZAP but when I used burpsuite to change the method it formats it correctly. Kind of frustrating since I mainly use ZAP but wanted to throw that out there for anyone else having an issue with this.

1 Like
9

I also found this difference between ZAP and Burp. Burp added a line to the request that ZAP didn’t add:

Content-Type: application/x-www[and_so_forth]

10

Honestly, I’m stuck on this question, I’ve answered all the others but this one has got me. I’ve changed the delivery methods, I’ve changed the verbs and I can’t find the beacon.
@onthesauce HELP ME PLIS, iam view in js one const in values:
const _0x480527 = [‘z2v0vvjm’, ‘CNvUDgLTzq’, ‘ls0Gre9nieLUDMfKzxi6iezHAwXLzcb0BYbWyxjZzsbZzxr0Aw5NCW’, ‘nJG5mdu4s3fgz1zh’, ‘ls0Gre9nieLUDMfKzxi6ienVDwXKig5VDcbSB2fKihnLDhrPBMDZlIbuCNKGzw5HyMXPBMCGDgHLihjLBw92zsbWzxjTAxnZAw9UCYbWB2XPy3KGAgvHzgvYigLUihnLDhrPBMDZlG’, ‘zxjYB3i’, ‘mZK4otyXmNjZAvbADq’, ‘qMjizKO’, ‘nZiWEhv5BM1A’, ‘otaXnJDeCujbweG’, ‘ndG4CvjrtKjh’, ‘CgfYC2u’, ‘nJeZmJG5m2HfuLrmta’, ‘nte2otbXEKPIrw4’, ‘mtjltwXpq2G’, ‘mZK2txzoyNPJ’, ‘ndb1rKjoz1K’, ‘B3bLBG’, ‘nJm3nvHvzgzYCq’, ‘CMvZCg9UC2vuzxH0’, ‘C2vUza’, ‘mJmWodrSreTzDNO’, ‘C2v0DgLUz3m’, ‘otj1BMLvtxe’];
a4_0x2acc = function() {

one of these should be the beacon, but I’ve tried them all and haven’t got it right…
Could you help me?

11

even i was stuck at that point lol

12

I got stuck in this one a lot longer than needed because I was changing the http verb from GET to POST manually.

The problem is, that I did not add the content type header, which is needed for POST/PUT/PATCH requests. Otherwise the POST parameters are not delivered.

That is why everywhere it is said “use burp/zap option to change the request method”, because those tools automatically update the header accordingly.

13

now ZAP also updates the Content-Type header