Command Injection - TryHackMe Junior Penetration Tester 3.9

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi there in our last lesson we learned about cross-site scripting or xss which I recommend you check out because they are some of the most common vulnerabilities out there right now in this lesson we're looking at command injection a vulnerability which allows us to execute commands through a vulnerable app and it's remediations I'm Brock from Brock card security and let's get hacking [Music] all right so first things first you're going to want to go ahead and log into your triac me dashboard and go to the command injection lesson introduction what is command injection in this room we're going to be covering the web vulnerability that is a command injection once we understand what this vulnerability is we'll then showcase its impact and the risk and imposes on an application then you're going to be able to put this knowledge into practice namely how to discover the command injection vulnerability how to test and exploit this vulnerability using payloads designed for a different operating system how to prevent this vulnerability in an application lastly you'll get to apply Theory into practice in a practical room at the end to begin with let's first understand what command injection is command injection is the abuse of an application's Behavior two execute commands on the operating system using the same privileges that the application on a device is running with we're taking advantage of what's already there for example achieving command injection on a web server running as a username Joe oh we'll execute commands under this Joe user and therefore obtain any permissions that Joe has a command injection vulnerability is also known as a remote code execution or rce because an attacker can trick the application into executing a series of payloads that they provide without direct access to the machine itself I.E and interactive shell the web server will process this code and execute it under the Privileges and access controls of the user who is running that application they think that we're Joe command injection is also often known as remote code execution because of the ability to remotely execute code within an application these vulnerabilities are often the most lucrative to an attacker because it means that the attacker can directly interact with the vulnerable system for example an attacker May read some system or user files data and things of that nature for example being able to abuse an application to perform the command who am I to list what user account the application is running will be an example of command injection command injection was one of the top 10 vulnerabilities reported by contrast Securities appsec intelligence report in 2019. you can see that here for insights from contrast lab appsec intelligent report moreover the owas framework constantly proposes vulnerabilities of this nature as one of the top 10 vulnerabilities of a web application or you can just look at the oauth framework and here we have the top 10 most common web application security vulnerabilities or risks and command injection would definitely share a lot of the traits with a lot of these no answer needed no Mark completed discovering command injection this vulnerability exists because applications often use functions and programming languages such as PHP Python and node.js to pass data to and to make system calls on the machine's operating system for example taking input from a field and searching for an entry into a file take this code snippet below as an example and the code snippet the application takes data that a user enters in an input Field named named title to search a directory for a song title let's break this down into a few simple steps here we have our code snippet written in PHP commonly used for web development step number one the application is going to store the MP3 files and a directory contained on the operating system we can see the directory here VAR www.html songs number two the user inputs the song titled they wish to search for the application stores this input into the title variable so here the title variable and getting whatever the user inputs the data within this title variable is passed to the command grep to search a text file named song title.txt for the entry of whatever the user wishes to search for so we can see here the command grep and then whatever the title is and they're looking in song title.txt which probably has a list of different songs the output of this search of song title.txt will determine what the application informs the user that the song exists or not if the grep command returns blank then it's going to say that the title does not exist however if anything else happens then it's going to say the requested song does exist now this sort of information would be typically stored in a database however this is just an example of where an application takes input from a user to interact with the application's operating system attacker could abuse this application by injecting their own commands for the application to execute rather than using grep to search for an entry in song title.txt they could ask the application to read data from a more sensitive file now that's an abusive trust right there with the operating system abusing applications in this way can be possible no matter the programming language the application uses as long as the application processes and executes it it can result in command injection for example this code snippet below is an application that was written in Python note you are not expected to understand the syntax Behind these applications however for the sake of reason they have outlined the steps of how this python application works as well number one we see that the flask package is used to set up a website server the code block number two function that uses sub-process package executes a command on the device in number three we use a route in the web server that will execute whatever is provided for example to execute who am I we need to visit HTTP and then flask app.thm who am I what variable stores the user's input in the PHP code snippet in this task got any ideas if you said the title variable then you'd be correct what HTTP method is used to retrieve data submitted by a user in the PHP code snippet G E.T get get method is used to retrieve data submitted by a user which we can see in Step number two now if I wanted to execute the ID command in the python code snippet what route would I need to visit well if we need to go to the flask app.thm who am I route to use who am I then we're going to need to do slash ID to execute the ID command nice job guys on to the next one task three exploiting command ejection you can opt to determine whether or not command injection may occur by the behaviors of an application as you will come to see in the Practical session of this room applications that use user input to populate system commands with data can often be combined in unintended behavior for example the shell operators the semicolon the Ampersand and double Ampersand will combine two or more system commands and execute them both double the power if you're unfamiliar with this concept it is worth checking out the Linux fundamentals module to learn more about this Linux fundamentals covers many servers and security tools in Linux learn how to use the Linux operating system which is a critical skill in cyber security if you're interested in me going over the Linux fundamentals course go ahead and let me know down in the comments main injection can be detected in mostly one of two ways number one blind command injection and number two verbose command injection these two methods are defined below and sections underneath will explain these in Greater detail blind command injection is a type of injection where there is no direct output from the application when testing payloads much like blind xss you will have to investigate the behaviors of the application to determine whether or not your payload was successful number two the verbose command injection is a type of injection when there is direct feedback from the application once you have tested a payload for example running the who am I command to see what user the application is running under web application will output the username on the page directly that sounds pretty nice so how are we supposed to figure out if our Command successfully worked if there's no visible output it's not immediately noticeable for example a command is executed but the web application outputs no message however just because it's not there doesn't mean it didn't happen this type of command injection we will need to use payloads that will cause some time delay for example the Ping and sleep commands are significant payloads to test with using ping as an example the application will hang for however many number of seconds in relation to how many pings you have specified another method of detecting blind command injection is by forcing some output this can be done by using redirection operators such as the right arrow if you're unfamiliar with this I recommend checking out the Linux fundamentals module for example we can tell the web application to execute commands such as who am I and then redirect that to a file we can then use commands such as cat to read this newly created files content testing command injection this way is often complicated and requires a bit of experimentation as the Syntax for commands varies between Linux and windows the curl command is a great way to test command injection this is because you were able to use Curl to deliver data to and from an application in your payload take this code snippet below as an example a simple curl payload to an application is possible for command injection here we have the curl command and it looks like using the process.php and then we're searching the directory beetles to execute the who am I command detecting verbose command injection is a little different it's arguably the easiest method of the two verbose command injection is when the application gives you feedback or output as to what is happening or being executed for example the output of commands such as ping or who am I is directly displayed on the web application here they have compiled some valuable payloads for both Linux and windows into the tables below so we have who am I which is in both Linux and windows who am I sees what user the application is running under if I'm logged in as Joe and Counting a file can we see that Joe's logged in and then for Linux it's going to be LS which stands for list listing the contents of the current directory you'll be able to find files like figuration files environment files tokens application keys and many more valuable things on the flip side in Windows you're going to be using dir which is that operating system's counterpart you'll be able to find the same sort of things ping is a command that will invoke the application to hang this will be useful in testing an application for blind command injection sleep is another useful payload and testing application for blind command injection where the machine does not have ping installed sleep is specific to Linux and so is NC which stands for netcat netcat can be used to spawn a reverse shell onto the vulnerable application the kit can be used to respond a reverse shell onto the vulnerable application you can use this foothold to navigate around the target machine for other services files or potential means of escalating privileges timeout is specific to Windows and it's a command that will also invoke the application to hang it's useful for testing the application for blind command injection if the ping command is not installed what payload would I use if I wanted to determine what user the application is running as how about this who am I what popular Network tool would I use to test for blind command injection on a Linux machine how about what Palin would I use to test a Windows machine for blind command injection how about time out we got it correct all right on to task four remediating command injection command injection can be prevented in a variety of ways everything from minimal use of potentially dangerous functions or libraries and a programming language to filtering input without relying on a user's input I have detailed these a bit further below the examples below are the PHP programming language however the same principles can be extended to many other languages in PHP many functions interact within the operating system to execute commands via shell these include exec pass through and system take this snippet blow as an example here in the application will only accept and process numbers that are inputted into the form this means that any command such as who am I will not be processed number one the application will only accept a specific pattern of characters in this case the digits 0 through 9. the application will then only proceed to execute this data which is all numerical these functions take input such as a string or user data and will execute whatever is provided on the system any application that uses these functions without proper checks will be vulnerable to command injection input sanitization sanitizing any input from a user that an application uses is a great way to prevent command injection this is a process of specifying the formats or types of data that a user can submit for example an input field that only accepts numerical data or removes any special character such as the right arrow the Ampersand and forward slash in the snippet below the filter input PHP function is used to check whether or not any data submitted via an input form is a number or not if it is not a number it must be invalid input here we have the filter input function which is saying if it's a number hey we're going to try to use it this is probably followed by an else statement saying hey don't use the input just like if you go to the border and you're not a citizen or you don't have a green card I'm going to be sent back from where you came unless you find a way to bypass the rules applications will employ numerous techniques and filtering and sanitizing data that is taken from a user's input these filters will restrict you to specific payloads however we can abuse the logic behind an application to bypass these filters for example an application May strip out quotation marks we can instead use the hexadecimal value of this to achieve the same result when executed although the data given will be in a different format than what is expected it can still be interpreted and will have the same result here's our payload and they would normally strip out the quotation marks but because we put everything in hexadecimal it's not recognizing that we've been coded quotations it's just in another language what is the term for the process of cleaning user input that is provided to an application initization what sanitize is used primarily in the US in Canada sanitize is preferred everywhere else okay so if you're using the Z it's not necessarily wrong but for this they want us to use this and we got it correct deploy the machine attached to this task it will be visible in the split screen view deploy the machine all right it's booting up once your machine boots up we're going to use some payloads on the application hosted on the website visible in the split screen view to test for command injection refer to this cheat sheet if you are stuck or wish to explore some more complex payloads that is very nice of them here we have a whole list of compounded unix commands to try and perform a command injection likewise in Windows we also see some similar commands such as multiple ampersands Point sleep who am I and other commands find the contents of the flag located in slash home slash triac me slash flag.txt you can use a variety of payloads to achieve this I recommend trying multiple to start off we'll just go ahead and try the default IP address and see what it returns so this is a handy web application for diagnosing it problems it's testing the availability of a device by entering the IP address it looks like whatever is running behind the hood grabbed our IP address and put it into a ping command which then it gave us back some ping statistics however that doesn't tell us what operating system is running behind the hood let's try a command that'll sift the operating systems down a little bit to see if this is a Windows machine or a Linux or Unix machine go ahead and do 127.0.0.1 satisfying the IP address requirement and then we're going to do the Ampersand to run an additional command and run a command only available in Unix machine and we will have it sleep for 10 seconds if we execute it and it's a Unix system should wait for 10 seconds before it brings us back anything so far it's not returning anything and there we go so let's look at the cheat sheet if we go down to the windows commands 127.0.0.1 then we'll try the directory command [Music] looks like we're not given any users let's try an alternative method let's see if we can look inside the root home directory using LS through 127.0.0.1 LS it looks like it responded to the ls of eight directories or files inside the root Home trihack Direct a total of four in the slash home slash Ubuntu directory and provided us with the flag.txt.save file so we know it's there now we'll use to answer this question right here what are the contents of the flag located in slash home slash try hack me slash flag.txt we've stumbled upon it we should be able to do 127.0.0.1 Ampersand if this system responded to a Unix command of Ls we should also be able to use the cat command to look inside the flag.txt file then there'll be slash home slash try hack me slash flag.txt dot save go ahead and execute that we have successfully done a command injection attack way to go as you can see THM command injection complete is the answer for the next question all right what user is this application running as let's try this dollar sign semicolon user bin ID put in the IP address I'll buy the Ampersand and then dollar sign semicolon okay looks like we got something now we should be able to look at the Etsy password file and find whoever user ID is 33.0.01 and go to cat and then we'll go to the root directory Etsy directory password let's go oh wow we just got a lot of good info now we're specifically looking for user ID 33 but we have a lot of different user IDs flying around here now if you're a nitpicker you could do control F 33 it looks like the www data user and they're currently signed in if we wanted to make this a little cleaner we could have done 127.0.0.1 and ran the cat command but pipe it to grep for 33. now we can see right off the bat okay yes the user dub dub dub Dash data must be currently signed in because when we look at the user ID folder of whoever was signed in we saw that same 33 and enter the answer I just want to say it's unlikely when you're starting out that you're gonna know a lot of these different commands and payloads just go through each command rinse and repeat try it out if it doesn't work hey try something else having that determination is going to go a long way trust me the field of cyber security is changing so much that you can't be expected to learn a single command injection attack and just hope it stays the way it is no there's many many different types of command ejection attacks there's command injections attacks that we haven't even thought of yet well done for making it to the end of the room to recap we've learned about the following elements of command injection how to discover the common injection vulnerability how to test and exploit this vulnerability using Peak loads designed for different operating systems however to prevent this vulnerability in an application and how to apply our learning by performing command injection practical application as you will probably have discovered there are multiple payloads that can be used to achieve the same goal I highly encourage you to go back to the Practical element of this task and try some alternative methods of retrieving the fly so go ahead and click complete and celebrate you guys just learned a critical skill in cyber security give yourself a pat on the back we are truly pioneered in this cyber West and it's up to us to keep poking keep prodding and looking for vulnerabilities because you never know one day you could find something that impacts thousands maybe millions of people that's a big deal get us in don't expect your first orc 999th time trying to work thanks for sticking around guys like subscribe this marks our ninth complete lesson in the introduction to web hacking course I'll see in the last lesson of intro to web hacking where we're going to go over SQL injection it's gonna be a fun one guys keep puzzling and take care

Info

Channel: Brock Rosen

Views: 2,132

Rating: undefined out of 5

Keywords: tryhackme, jr penetration tester, penetration testing, pentester, how to, lesson11, introduction, web hacking, beginner, free course, ethical hacking, cybersecurity, cyber security, how to hack, hacking tutorial, junior, free, training, command injection, what is command injection, remediating, discovering, exploiting, deploy, practical example, answers, explained, walkthrough

Id: 9v5RzG3ha8s

Channel Id: undefined

Length: 20min 9sec (1209 seconds)

Published: Fri Mar 24 2023