🍡[Severity 1] Command Injection

Notes about Command Injection & the practical

Command Injection occurs when a server-sidecode (like PHP) in a web application makes a system call to the host machine. Its a web vulnerability that can allow an attacker to use system commands on the server.

;nc -e /bin/bash - a reverse shell that takes advantage of a target system's vulnerabilities to initiate a shell system and access the victim's system.

Blind Command Injection - occurs when the system command made to the server does not return the response to the user in the HTML document.

We can detect Active Command INjection by seeing responses from the system call.

Practical

We are first greeted with the vulnerable website, http://10.10.29.177/evilshell.php.

http://10.10.29.177/evilshell.php

From here, we are able to use various commands to find files and who is on the system. To answer the first question, I used the command "ls" to list all the folders in the current directory.

drpepper.txt

The strange file I found in this case was "drpepper.txt" which when read, reads "I love Dr Pepper".

I love Dr Pepper

To find who the user is, I used the "whoami" command.

whoami

Using "cat /etc/passwd", we are able to analyze the output and see that the user's shell is set at "usr/sbin/nologin".

/usr/sbin/nologin

To find the Ubuntu version, I used the command, "lsb_release -a".

Ubuntu 18.04.4

To find the MOTD, we can use the command, cat /etc/update-motd.d/00-header.

The output of cat /etc/update-motd.d/00-header/

Dr pepper is the favorite beverage in the script.