Home Command Injection
Post
Cancel

Command Injection

Learn about a vulnerability allowing you to execute commands through a vulnerable app, and its remediations.

THM Room https://tryhackme.com/room/oscommandinjection

TASK 1 : Introduction (What is Command Injection?)

Read me!

No Answer

TASK 2 : Discovering Command Injection

What variable stores the user’s input in the PHP code snippet in this task?

Answer : $title

What HTTP method is used to retrieve data submitted by a user in the PHP code snippet?

Answer : GET

If I wanted to execute the id command in the Python code snippet, what route would I need to visit?

Answer : /id

TASK 3 : Exploiting Command Injection

What payload would I use if I wanted to determine what user the application is running as?

Answer : whoami

Answer : ping

What payload would I use to test a Windows machine for blind command injection?

Answer : timeout

TASK 4 : Remediating Command Injection

What is the term for the process of “cleaning” user input that is provided to an application?

Answer : sanitisation

TASK 5 : Practical: Command Injection (Deploy)

What user is this application running as?

Firstly i tested the given example 127.0.0.1 and i got :

DiagnoseIT DiagnoseIT

Then i tried directly the payload “whoami” but it got filtered :

Whoami Whoami

I finally escape the filter by prepend “ls&” to my payload to get the answer to the whoami :

Whoami escaped Whoami escaped

Answer : www-data

What are the contents of the flag located in /home/tryhackme/flag.txt?

I saw the input was filtered so an example payload here is : “ls&cat /home/tryhackme/flag.txt”

Falg Flag

Answer : THM{COMMAND_INJECTION_COMPLETE}

TASK 6 : Conclusion

Terminate the vulnerable machine from task 5

No Answer

This post is licensed under CC BY 4.0 by the author.