Skip to main content

Command Injection (Tryhackme and Owaspbwa)

Linux, Networking & Security are the domains of my interest.

command-injection-tryhackme-owaspbwa

Normal Usage of Web Applications

Let’s say the stories are stored as .txt files on the server and when a person types the story name “Story1” the server processes the the content of Story1.txt file and outputs it back to the web page.

command-injection-tryhackme-owaspbwa

Problem — if the website processes the content of the story itself through its system without the user input being filtered as to what characters and what comments can it receive.

Ex. Let’s say this application reads the content of the text file with the help of the “cat” command i.e. We type in the story name and it gets the story, reads the output, and throws it back to the web application.

command-injection-tryhackme-owaspbwa

General Form

Concatenation of commands with normal input →if the content is unfiltered →server gives the normal output along with the output of the concatenated commands.

command-injection-tryhackme-owaspbwa

Now let’s begin with our today’s challenge.

TryHackMe (OWASP TOP 10 [Task 5])

If this is your first time working on TryHackMe and you don’t know how to set it up then, check out the bonus resource section at the end.

Navigate to: https://tryhackme.com/room/owasptop10 → Task 5

command-injection-tryhackme-owaspbwa

BOOM!!! command injected

But what if it’s a Blind Injection?

Blind Injection — If we can’t see the output of the commands on the page even if it’s vulnerable to command injection.

Then how to identify?

We can ping our kali machine from the target machine & try to intercept the request using Wireshark then maybe we can see the packets that the target machine is sending in order to ping us.

Let's test it out:

  1. Open Wireshark (‘$ sudo Wireshark’) & select tun0 (for the vulnerable machine)
command-injection-tryhackme-owaspbwa

2. Ping your kali machine IP address.

command-injection-tryhackme-owaspbwa

3. Ping our machine.

command-injection-tryhackme-owaspbwa

4. Wireshark and web application output

(I had to reconnect to the VPN which changed kali’s IP provided by VPN to 10.10.177.137)

command-injection-tryhackme-owaspbwa

If not a blind injection

command-injection-tryhackme-owaspbwa

Task5 Solution

1. What strange text file is in the website's root directory?

command-injection-tryhackme-owaspbwa

2. How many non-root/non-service/non-daemon users are there?

command-injection-tryhackme-owaspbwa

There are 0 non-root/non-service/non-daemon users in this machine

3. What user is this app running as?

Simply type whoami →www-data

4. What is the user’s shell set as?

The user’s shell is set as →/usr/sbin/nologin

command-injection-tryhackme-owaspbwa

5. What version of Ubuntu is running?

18.04.4

command-injection-tryhackme-owaspbwa

6. Print out the MOTD. What favorite beverage is shown?

Look for the hint (cause this question is tricky)

command-injection-tryhackme-owaspbwa

Hmm it looks like a file to me so let’s check it out

command-injection-tryhackme-owaspbwa

Indeed, it is a file so let’s print out its content.

command-injection-tryhackme-owaspbwa

OWASPBWA

(Vulnerable Machine Link and setup video in the bonus resources)

1. Running Php Reverse Shell

command-injection-tryhackme-owaspbwa

Normal Usage:

command-injection-tryhackme-owaspbwa

If we do nslookup inside your terminal

command-injection-tryhackme-owaspbwa

It’s almost the same as the one we are getting in our web app. So maybe it’s vulnerable to command injection

command-injection-tryhackme-owaspbwa

BOOM!!! Injected

Now let’s try to establish a reverse shell with the target system

As all the files in “ls” are .php files there is a possibility that the web-server is running on PHP & we can find one-line bash/PHP reverse shell commands online like

command-injection-tryhackme-owaspbwa

(Creation of socket object, IP address is of our kali machine and 1234 is the port of Kali Linux we want to connect to. The 2nd part of the command is what we want to execute, in our case it tells us to execute the bash shell and run as commands as we want).

But first, we need to listen for any incoming connection and execute the command on the web page and...

command-injection-tryhackme-owaspbwa

nc →netcat

lvp →to make kali listen on any interface on port 1234.

Done !!!!

2. Bypassing Input Filter and Executing Command

Navigate to this link

command-injection-tryhackme-owaspbwa

You should see something like this

command-injection-tryhackme-owaspbwa

Make sure the security level (on the bottom left corner) is set low.

Normal Usage:

command-injection-tryhackme-owaspbwa
command-injection-tryhackme-owaspbwa

Here is our command injection

command-injection-tryhackme-owaspbwa

NOW SET SECURITY LEVEL TO MEDIUM by going to the DVWA Security option from the left column.

command-injection-tryhackme-owaspbwa

Nothing happens :( :( :(

Now check the source code (bottom right) to know how it is filtered.

command-injection-tryhackme-owaspbwa

Both of the symbols are substituted with ‘ ’ so what to do

We can use ‘&’

What Is ‘&’ in the Terminal?

command-injection-tryhackme-owaspbwa
command-injection-tryhackme-owaspbwa

Hoorah!!! we did it

1. 30+ Standard Linux Commands for Beginner or Intermediate Users

2. Bug Bounty Hunting With Burp Suite (Intercept, Repeater & Intruder)

3. Broken Access Control (Tryhackme and Owaspbwa)

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 Ashutosh Singh Patel