We covered a practical scenario on command injection using TryHackMe Epoch room.
Be honest, you have always wanted an online tool that could help you convert UNIX dates and timestamps! Wait… it doesn’t need to be online, you say? Are you telling me there is a command-line Linux program that can already do the same thing? Well, of course, we already knew that! Our website actually just passes your input right along to that command-line program!
So the idea is that guys there is this challenge here as you can see It’s kind of running a command line tool but accessible from the web so whatever you type here it gets executed. The purpose of this room is to get you familiar with the concept of command injection, which is an OWASP top 10 vulnerability. The problem in the web application of this scenario is that user queries are passed into the system directly without proper filtering or input validation.
To exploit this vulnerability, we can execute commands or two commands simultaneously in Linux using two ways. The first one is to use semicolon or we can use double ampersand between the two commands. We can get a shell on the system using a bash reverse shell eventually leading us to get access to the system and retrieve the flag.