CyberTalents | Newsletter
Writeup of an easy-rated Web Exploitation Challenge from CyberTalents
Challenge Name
Challenge Description
- The administrator put the backup file in the same root folder as the application, help us download this backup by retrieving the backup file name.
Write-Up
Navigating to the provided URL, you will be presented with the following web page:
There is a field, where we can enter an email address:
But, when an input that does not look like an email address, the web page will return the following response:
- From the message
Invalid email, email must contain @ & dot
, we can assume that the user input is checked whether it contains@
anddot
or.
If it’s the case, the email address is successfully inserted, otherwise this error message is returned.
Manual Exploitation
Bypassing the check:
We can easily bypass this check by simply providing an input that contains @
and .
It can be as simple as the following input: @.
Command Injection:
Let’s try to inject an OS command like id
while making sure to bypass the check.
We can do that by injecting the following payload: ;id #@.
- Here we are executing the
id
command and commenting@.
in order not to be executed. - The semi-colon
;
in the beginning is just to separate our command with the command executed in the backend.
- As you can see, the
id
command has been executed in the backend server, which means this entry point is vulnerable to command injection.
Flag:
In this challenge, the flag is the name of a backup file, which is located in the same root folder as the application. In other words, we can get this filename by simply running ls
:
- The backup filename is
hgdr64.backup.tar.gz
Exploitation using Commix:
Commix short for [comm
]and [i
]njection e[x
]ploiter, is an open-source penetration testing tool that automates the detection and exploitation of Command Injection
vulnerabilities.
You can think of it as SQLmap
but for Command Injection
rather than SQL injection
vulnerabilities.
The Wizard Mode:
You can work with this tool by providing options via arguments, such as --url
, or using the wizard
mode, which is an interactive interface that asks you for the required option and all you need to do is provide it. You can enable this mode using the option --wizard
:
- First of all, it will ask you for the URL, the
POST
data you want to test for command injection (email=hacker@gmail.com
), the injection level (3
) and finally the target server’s operating system. - After doing its thing, if successful (Command Injection exploited), it will ask you whether you want a pseudo-terminal shell where you can execute commands remotely on the target server.