HackTheBox - Command Injections - Skills Assessment Walkthrough

Ido AbramovIdo Abramov
2 min read

Scenario

You are contracted to perform a penetration test for a company, and through your pentest, you stumble upon an interesting file manager web application. As file managers tend to execute system commands, you are interested in testing for command injection vulnerabilities.

Use the various techniques presented in this module to detect a command injection vulnerability and then exploit it, evading any filters in place.

Walkthrough

Enter the provided URL and log in using the supplied credentials:

We can see a File Manager app containing a few files, a 'tmp' folder, and several buttons next to each file - View, Copy to, Direct Link, and Download. There's also a search bar visible.

After examining the available functionalities, we proceed to test the Copy to feature.

Select a random file and click on Copy to:

It displays the source and destination paths along with the 'tmp' folder. Let's click on the folder:

We can now either copy the file or move it from /files to /files/tmp.

After clicking copy, we can see the files in /files/tmp :

Using Burp, let's intercept both the Copy and Move requests. Both include to and from parameters as part of the file path, making them potential candidates for command injection.

First, test the Copy function by attempting to inject a reversed whoami command into the from parameter.

The command failed to execute, it was printed only as plain text.

Next, performed the same test on the Move function:

Success! The injected command was executed and returned the www-data output in the error message.

We have identified an entry point for command injection, now we just need to leverage it to locate the flag.

Let’s use Base64 encoding to bypass filters and execute the command:

The complete payload will be:

$($(base64%09-d<<<bHMgLw==))

** The reason for using $($(base64%09-d<<<COMMAND)) is that, in the first step, the inner command $(base64%09-d<<<COMMAND) runs the base64 -d command to decode the encoded original command. Then, the outer $() executes the decoded command.

We can see that the root directory contains a file named flag.txt.

Let's encode the cat /flag.txt command to inject it and retrieve the flag:

$($(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==))

Send the request containing the payload:

The flag has been found ! 🤩

0
Subscribe to my newsletter

Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ido Abramov
Ido Abramov