You have not logged in. Access is limited, Please login to get full Access

OS Injection

In this challenge, you’ve discovered a web application that takes user input and executes an OS command on the server without proper validation or sanitization. The application is vulnerable to OS command injection, where user input is directly passed to the operating system’s command shell. Your goal is to exploit this vulnerability to execute arbitrary OS commands and retrieve the flag stored on the server.

Task 1 OS Command Injection

You are a penetration tester hired by a company to assess the security of their web application. During your engagement, you have discovered a vulnerable endpoint in the application that processes user-supplied data without proper sanitization. The vulnerability is an OS command injection flaw in a search functionality, and your job is to exploit this vulnerability to retrieve hidden flags embedded within the server. The flags are hidden in the system logs and in environment variables.

Answer The Questions

Question 1: Find the first hidden flag in the server's environment variable

Scenario: You have been provided with a web form where you can input a search query. The form passes the query directly to a system command. The server executes the following command:

search_result=$(grep -i "$query" /etc/passwd)

Question 2: Find the second hidden flag in the server logs

Scenario: The server also logs search queries. You need to find a way to retrieve the log file contents.

Question 3: Bypass input sanitization to execute arbitrary commands

Scenario: Input sanitization is only partially implemented, filtering ;, &&, and ||. However, it does not filter backticks ` properly.

Question 4: Find the third hidden flag using a directory traversal attack

Scenario: The search query is being used to open files from a specific directory, but the path is incomplete.

Question 5: Gain access to sensitive information from a hidden cron job

Scenario: The server has a hidden cron job that runs periodically. The cron job is responsible for generating a hidden flag. You need to exploit the OS command injection to gain access to the cron job's output.

Question 6: Extract a hidden flag from the server's memory

Scenario: The application stores temporary flags in memory, which can be accessed using a custom command injection vulnerability in a "search" function. The application is running with elevated privileges.

Question 7: Retrieve the flag hidden in an encrypted file

Scenario: You’ve found an encrypted file on the system at /etc/secure/secret.enc. The encryption method is simple (using openssl).

Question 8: Use the information from environment variables to retrieve the final flag

Scenario: The application provides a limited view of system information, but the system’s environment variables hold the final flag.

OS Injection

Task 1 OS Command Injection

Email Verification Required

Admin Panel