Command Injection Vulnerability | TryHackMe Junior Penetration Tester

Introduction

This article covers Command Injection Vulnerability in TryHackMe’s Junior Penetration Tester path explains command injection, a vulnerability allowing unauthorized system command execution by exploiting application inputs. It details the exploitation process, showing how attackers append commands to user inputs (e.g., IP address) to gain unauthorized access. Techniques for gaining a reverse shell and command injection prevention (e.g., input validation) are discussed. The TryHackMe room exercises guide users on identifying injected commands and understanding how to secure applications against these vulnerabilities.

To begin with, let’s first understand what command injection is. Command injection is the abuse of an application’s behaviour to execute commands on the operating system, using the same privileges that the application on a device is running with. For example, achieving command injection on a web server running as a user named joe will execute commands under this joe user – and therefore obtain any permissions that joe has.

Get OSCP Certificate Notes

HackTheBox Certified Penetration Testing Specialist Study Notes

What is Command Injection Vulnerability?

A command injection vulnerability is also known as a “Remote Code Execution” (RCE) because an attacker can trick the application into executing a series of payloads that they provide, without direct access to the machine itself (i.e. an interactive shell). The webserver will process this code and execute it under the privileges and access controls of the user who is running that application.

Command injection is also often known as “Remote Code Execution” (RCE) because of the ability to remotely execute code within an application. These vulnerabilities are often the most lucrative to an attacker because it means that the attacker can directly interact with the vulnerable system. For example, an attacker may read system or user files, data, and things of that nature.

For example, being able to abuse an application to perform the command whoami to list what user account the application is running will be an example of command injection.

Command injection was one of the top ten vulnerabilities reported by Contrast Security’s AppSec intelligence report in 2019. (Contrast Security AppSec., 2019). Moreover, the OWASP framework constantly proposes vulnerabilities of this nature as one of the top ten vulnerabilities of a web application (OWASP framework).

Exploitation Methodology

Initial Setup and Exploration:

• Once the machine is deployed, the application’s input box expects an IP address. Entering a valid IP triggers a system ping, with the output confirming the command execution format, allowing attackers to attempt command injection.

Command Injection Exploitation:

• By appending additional commands (e.g., ; or &&), arbitrary commands are executed. For example, adding id after the IP returns the user ID, confirming the vulnerability.
• Commands like cat /etc/passwd are used to access sensitive data. Attempts to access /etc/shadow fail due to permission restrictions, indicating the user lacks root privileges.

Gaining a Reverse Shell:

• The goal is to catch a reverse shell by initiating a listener on the attacker’s machine. By injecting the netcat command, the system connects back, providing shell access to explore further.

Preventing Command Injection:

• The video discusses prevention methods, such as sanitizing inputs, using regex to restrict inputs to digits only, and implementing PHP’s filter_input function for validation.

Questions and Key Terms:

• Questions include identifying the user running the application and locating a hidden flag in /home/tryhackme/flag, found by navigating the reverse shell.

Pathway Progression:

• The video concludes with the creator outlining upcoming tasks in the pathway, including Burp Suite and network security challenges.

TryHackMe Command Injection | Room Answers