We covered a practical scenario on command injection using TryHackMe Epoch room.
Challenge Description
Be honest, you have always wanted an online tool that could help you convert UNIX dates and timestamps! Wait… it doesn’t need to be online, you say? Are you telling me there is a command-line Linux program that can already do the same thing? Well, of course, we already knew that! Our website actually just passes your input right along to that command-line program!
Room Answers
Epoch Command Injection Vulnerability
I started by looking at a web tool called “Epoch,” which is designed to convert dates and timestamps. The core of the problem, as I understood it, was that this application takes user input and directly passes it to a command-line tool without properly checking or cleaning it. This creates a classic command injection vulnerability.
I learned that Epoch time is a standard way computers keep track of time. To exploit this vulnerability, my goal was to make the underlying command-line tool execute two separate commands: the date conversion it was supposed to do, and then my own malicious command right after it.
I explored two common methods for running multiple commands in Linux:
- Using a semicolon (
;
) to separate commands. - Using double ampersands (
&&
) to execute a second command only if the first one succeeds.
I then moved on to demonstrating how to get a reverse shell by injecting a bash reverse shell command. After successfully gaining access to the machine, I found myself as the “challenge” user. Interestingly, the flag wasn’t in the usual user’s home directory. Instead, I found it by printing out the environment variables.
Technical Commands Used
Here are the technical commands that were used in the demonstration:
ID
: This command was used to show the user ID, both with the semicolon and double ampersand, to illustrate how command injection works.nc -lvp 4545
: This is a Netcat listener command, run on the attacker’s machine, waiting for an incoming connection from the compromised system.- A bash reverse shell command: While the specific IP address and port were modified in the video, the general structure of this command was shown. The IP address used for the attacker machine in the video was
10.10.39.38
. ID
: Once I had access to the compromised machine, I ran this command again to confirm the user I was logged in as.- A command to print environment variables: Although not explicitly typed out, the action described strongly suggests a command like
env
orprintenv
was used to find the flag.