Command Injection Practical Scenario | TryHackMe Epoch

We covered a practical scenario on command injection using TryHackMe Epoch room.

CompTIA Security+ SY0-601 Study Notes

This is the CompTIA Security+ SY0-601 Study Notes Version one that includes all exam objectives and the subjects…

The Complete Practical Metasploit Framework Course

Course Content: Chapter 1: Introduction to Metasploit Framework Chapter 2: Understanding Metasploit Modules Chapter 3…

Room Answers

Find the flag in this vulnerable web application!

flag{7da6c7debd40bd611560c13d8149b647}

Video Transcript

So the idea is that guys there is this challenge here as you can see It’s kind of running a command line tool but accessible from the web so whatever you type here it gets executed. The purpose of this room is to get you familiar with the concept of command injection, which is an OWASP top 10 vulnerability. The problem in the web application of this scenario is that user queries are passed into the system directly without proper filtering or input validation.

To exploit this vulnerability, we can execute commands or two commands simultaneously in Linux using two ways. The first one is to use semicolon or we can use double ampersand between the two commands. We can get a shell on the system using a bash reverse shell eventually leading us to get access to the system and retrieve the flag.