OS Command Injection - tryhackme writteup

bykamikaze98 -
0



Hi in this writteup, we're going to exploit a bone injection vulnerability on tryhackme .                     


Command Injection occurs when server-side code in a web application makes a system call on the hosting machine.  It is a web vulnerability that allows an attacker to take advantage of that made system call to execute operating system commands on the server.

In this type of application where the client input is used to execute a System command from the server and we can exploit vulnerabilities like : 
"Blind Command Injection" or "Active Command Injection" 

the difference between the two is that Active Command Injection returns to the browser the response of the executed command . whereas on blind injection to retrieve the information it is necessary for example to make a pipe ">" to save the result of the command execute example : cat whoami > result.md or send for example to the server packet custom icmp ping to see if the server takes the time of the number of seconds you made on the ping requet ; for example : "ping -c 10".




There you go! Here's the flag for the first question.
using "& ping -c 10"... to make the ping!
In the second question he asks us to 
Try to redirect output you can do it by making a ">" pipe to save the system result somewhere in the server and then read it. example: "ls - al > result.txt".
in Tryhackme it will return an alert boostrap with the status "Error" and this is the answer to the second question, in the #3 , #4 ,#5 questions you can enter what the challenge asks you and base yourself on the status of the alert to answer them easily. 


For Active Command Injection just do a quick "ls" to see the list of files on the current directory the result is the text file "drpepper.txt".
And it asks us 
How many non-root/non-service/non-daemon users are there this question is a joke but no need to search it just do in command "id" to see the result and you can see that "0" non-root/non-service/non-daemon users are there.
What user is this app running as?

just type the whoami command to see the current usage. 

What is the user's shell set as?

you can read the /etc/passwd file to answer this question 

/***/***/nologin


Print out the MOTD.  What favorite beverage is shown?

just read the drpepper.txt file

Get the flag! 😇😇

Just type command "find" to find the flag in the system. 

find / -type f -name "flag.txt"

65fa0513383ee486f89450160f3aa4c4




Comments here, cracks!

Post a Comment

Comments here, cracks!

Post a Comment (0)

Previous Post Next Post