Post

CyberTalents | Newsletter

Writeup of an easy-rated Web Exploitation Challenge from CyberTalents


Newsletter is a Web Exploitation challenge from CyberTalents that revolves around exploiting a command injection vulnerability with a bypass of a rudimentary input check to obtain the flag.

Challenge Name

Newsletter Challenge


Challenge Description


  • The administrator put the backup file in the same root folder as the application, help us download this backup by retrieving the backup file name.

Write-Up


Navigating to the provided URL, you will be presented with the following web page:

Super Newsletter


There is a field, where we can enter an email address:

Valid email address


But, when an input that does not look like an email address, the web page will return the following response:

Invalid email address
  • From the message Invalid email, email must contain @ & dot, we can assume that the user input is checked whether it contains @ and dot or . If it’s the case, the email address is successfully inserted, otherwise this error message is returned.

Manual Exploitation

Bypassing the check:

We can easily bypass this check by simply providing an input that contains @ and .
It can be as simple as the following input: @.

Email Check Bypassed


Command Injection:

Let’s try to inject an OS command like id while making sure to bypass the check.
We can do that by injecting the following payload: ;id #@.

  • Here we are executing the id command and commenting @. in order not to be executed.
  • The semi-colon ; in the beginning is just to separate our command with the command executed in the backend.
id
  • As you can see, the id command has been executed in the backend server, which means this entry point is vulnerable to command injection.

Flag:

In this challenge, the flag is the name of a backup file, which is located in the same root folder as the application. In other words, we can get this filename by simply running ls:

Flag
  • The backup filename is hgdr64.backup.tar.gz

Exploitation using Commix:

Commix short for [comm]and [i]njection e[x]ploiter, is an open-source penetration testing tool that automates the detection and exploitation of Command Injection vulnerabilities.
You can think of it as SQLmap but for Command Injection rather than SQL injection vulnerabilities.

The Wizard Mode:

You can work with this tool by providing options via arguments, such as --url, or using the wizard mode, which is an interactive interface that asks you for the required option and all you need to do is provide it. You can enable this mode using the option --wizard:

Command Injection via Commix
  • First of all, it will ask you for the URL, the POST data you want to test for command injection (email=hacker@gmail.com), the injection level (3) and finally the target server’s operating system.
  • After doing its thing, if successful (Command Injection exploited), it will ask you whether you want a pseudo-terminal shell where you can execute commands remotely on the target server.
This post is licensed under CC BY 4.0 by the author.