Tips & Tricks, WebApp 101

Command Injection Tips

While working through TheCyberMentor’s Linux Privesc course, I learned something new and wanted to place this here so I can refer to it later. There’s a box on TryHackMe called ConvertMyVideo. This post does not intend to serve as a walk-through or write-up of that box, but rather is a using it as an example for some of the tips I’m going to place here.


Setting the Stage

On the webpage of the box, we see a field where we can enter our own value.

We find when intercepting the web request that there is a parameter being sent to the box called yt_url. Whatever value gets entered in the field will be passed into this parameter.


Testing for Command Injection

Let’s replace the value of the parameter with a system command, such as ls. We find that this doesn’t work, but we can apply upticks in order to force the command to process BEFORE the rest. This is what that looks like.

`ls`

All signs indicate that we were able to successfully inject our ls command, which resulted in the word admin being passed into the back-end.

We try to take it further by running ls -la, but we find that this isn’t working properly. We likely have some sort of bad characters that we’ll need to bypass.

We can try to pass ls%20-la, which is a URL encoded space, but that doesn’t help.

At this point, TCM shows us that using ${IFS} also will translate to the OS as a space character. To test this out, I was able to confirm typing the following command in my Kali box would have the result I wanted.

ls${IFS}-la

While we confirmed doing this should translate to a space character, we still were unable to get the result we wanted in the box.

However, we confirm if we use another command that don’t contain additional special characters, such as ping 127.0.0.1, our command injection works. This sets us up with everything we need to download a payload, make it executable, and run it.


Thinking Outside the Box

Keep in mind that we do not have the ability to use commands that contain special characters, so you have to think a bit outside the box. For example:

Instead of running chmod +x <file>, you can use chmod${IFS}777${IFS}<file>.

Instead of running ./<file>, you can use bash${IFS}<file>

Tips & Tricks

Upgrading Simple Shells to Interactive TTYs w/ Python

This is a quick and easy post, mainly for my own reference moving forward. It will showcase how to upgrade and improve your reverse shells so that they are more user friendly.


Once you have a reverse shell, start by running the command

python -c 'import pty;pty.spawn("/bin/bash")'

Now we’ll background the window with Ctrl + Z. We’ll be taken back to our Kali terminal window.

In the Kali terminal, type in stty raw -echo. It will appear like nothing happened, but then type in fg. Note: The text you type here will not display.

Press Enter. This will repopulate the command you ran to capture the shell, and then Enter a 2nd time. This will take you back to your reverse shell.

Now, you can run export TERM=xterm, which will allow you to do things like clear the screen.


Fixing Rows/Columns

If you need to run vi, you may find that your shell doesn’t display the editor correctly. For example, it may not fill out the entire terminal window (see image below).

To fix this, we’ll need to adjust the row and columns. From a new terminal window (on your local machine), run the following command.

stty -a

Make note of the returned rows and columns. Back in your shell, run the following command to configure the terminal with the correct number of rows/columns.

stty rows <insert> columns <insert>

Now running vi will work correctly.