This room broken down into what seems like several days of material. We'll try and do our best to go through and "update" as we go along.
This section covers Command Injection. Examples given are SQLi (SQL Injection) and arbitrary command execution. These can be defined as follows:
SQLi
This occurs when user controlled input is passed to SQL queries. As a result, an attacker can pass in SQL queries to manipulate the outcome of such queries.
Command Execution
This occurs when user input is passed to system commands. As a result, an attacker is able to execute arbitrary system commands on application servers.
Reference for reverse shells for code execution:
Some provided examples of commands we can try executing if we think there is a shell present:
Linux
whoami
id
ifconfig/ip addr
uname -a
ps -ef
Windows
whoami
ver
ipconfig
tasklist
netstat -an
We access the PHP reverse shell that is provided for us to start running through some normal commands we might use on an already open and available system.
For this we can use the command:
We can even add switches to it if need be, such as:
Sift through the available files in this location and provide the answer that seems most obvious. The files / directories we are provided with are separated by spaces.
This was a fun one. It took me a minute, but I remembered that we can review the shadow file in order to see what users / accounts have /bin/bash access to a login shell on the system.
In the PHP Reverse shell I ran:
Then took the results into Visual Studio Code to try and space things out for easier review. Remember, we're looking for users who are non-root/non-service/non-daemon accounts.
Pretty simple question for us here, just run:
This kind of takes us back to question 2 where we reviewed who all has a login shell, or shell access on the system.
We can easily bring back up the /etc/passwd file and review
Look for the type of "shell" this user has and we're all set!
For this question we can review the notes from a previous room we've done - Linux Challenges
Long story short, we can use the following command to find the version information:
Another callback to Linux Challenges where we see that the MOTD can be located by running:
This was an interesting question to determine the why this exploit works. What I ended up doing was intercepting the traffic when I logged into my user " darren". What Burp Suite showed me was that it url-encoded the " " to be equivalent to "+darren".
With SQL not being set to properly sanitize my input, it ended up making a new user " darren" WITH the imported account settings from "darren".
Supporting material:
Some databases can be stored in a flat-file, this format might usually be an SQLite file. To interact with this flat-file database we can run through the following:
From here we can see the tables in the database by using the .tables command:
We can then see what information is inside the table in order to help us further query our data.
I ended up finding this by browsing around in the source code on the home page. Looks like we are able to access the sites assets directly. However, I intended to also review the source on /login which has a decent bit of intel there too ;)
This is the ever so clear flat-file database!
Download the database file, open a terminal and we can get to some cracking.
After we review the table info, we are easily able to understand which column has our users md5 hash for the password.
Grab the hash, throw it into the crackstation site. Inversely if you have hashcat installed we can do the following:
Essentially the breakdown of our command is as follows:
-m 0
This will use md5 as the hash algorithm
hashes
The name of our file which contains the hashes we are looking to crack
/usr/share/wordlists/rockyou.txt
The wordlist which we are comparing our hashes against
If you happened to NOT have your rockyou.txt in the above directory you can use the following find command to locate a few files which may work.
Reference and review to for login shell and "listing users in Linux":
A useful online tool for cracking simple hashes -
A solid breakdown of the above command can be found .