HTB Academy - Command Injections

'Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1’’

Has anyone completed this recently?
I feel like I have the code needed for this, but I cannot get the answer correct.

I have written - find /usr/share/ | grep root | grep mysql | tail -n 1
replacing:
starting with %0a for newline
space = %09
| = <<<
reversed the forbidden words

I’m getting the result if I remove | tail -n 1 part, but the last answer filepath is not the answer they’re looking for.
I’m not sure if the code is capturing, or supposed to catch both of the greps as AND or OR, I feel like I get the same answer if I just grep ‘root’ or ‘mysql’ alone, is the code even correct here: find /usr/share/ | grep root | grep mysql | tail -n 1

Thanks for help in advance!

It has been awhile, but I recommend trying the encoding method they mention in that section. I think it translates better, trying to replace all the pipes didn’t seem to work at all for me.
-onthesauce

I even went as far as to copy the output of: find /usr/share/ | grep root → text file

then:

cat x.txt | grep mysql | tail -n 1
/usr/share/vim/vim81/syntax/mysql.vim

But it does not seem to be then correct one, I’m at loss here haha

Hey there!
I know this is late but I just solved this after about 2 hours of head-banging. Not sure if you are still interested, but if so:

There are two main paths we can try - reversing and encoding. A good general rule is to follow the process of changing the command but first testing it on the CLI to make sure it works there. Also test after every iteration - this helps you to determine where, if anywhere, the issue is.

Here for example is a case where the command is so complex that when we reverse it and test it on CLI it does not work. Reversing works well for simple commands, but more complex ones “break”, and thus don’t get executed properly.

So the path here was with encoding but I struggled for a long time for it to work, ultimately I had to make sure of the following:

  1. For some strange reason, encoding it on the CLI did not work. Instead, I used base64encode.org. It produced the same output but shorter, unsure why the CLI encode did not work but will follow up.
  2. Both the bash and base64 commands in the payload were blacklisted, so break them up. I tried \\ which did not work, but $@ did work.
  3. Finally, the simplest issue took the longest to solve. There is a space in the final payload which was being blocked! It seemed so simple and far back that I overlooked this. So replace space with ${IFS}.

Final solution: %0abas$@h<<<$(ba$@se6$@4${IFS}-d<<<ENCODED_COMMAND)

Obvs just replace ‘ENCODED_COMMAND’ with the actual encoded command, no need to alter it before encoding simply C+P as is.

4 Likes

thanks!!