Looking Glass [HTB]

Category : Web

Difficulty : Easy

Challenge Description

1	We've built the most secure networking tool in the market, come and check it out!

We are given an IP address and a port to connect to , we are not provided with a source code. If we open the website we find the following interface

website
We can do the commands ping and traceroute on an IP address that we can provide

Some of you might already spotted the vulnerability here. However, let’s open BurpSuite and take a look at the request that was made when we click Test.

The request is as follow
request
It is a post request that has 3 parameters test , ip_address and submit .

If we try to put another command for example id in the place of ping we don’t get anything back

1	test=id&ip_address=134.122.104.185&submit=Test

But what if we put that after the IP address like this

1	test=ping&ip_address=134.122.104.185;id&submit=Test

And indeed the command id was executed successfully and we can see its output in the response

This vulnerability is called command injection ( you can read more about it from here https://portswigger.net/web-security/os-command-injection )

Now that we can execute any command , let’s take a look at the files available and perhaps we can find the flag. In our current directory we have an index.php file let’s see its content

<?php
function getUserIp()
{
    return $_SERVER['REMOTE_ADDR'];
}

function runTest($test, $ip_address)
{
    if ($test === 'ping')
    {
        system("ping -c4 ${ip_address}");
    }
    if ($test === 'traceroute')
    {
        system("traceroute ${ip_address}");
    }
}

?>

The vulnerable part of the code is here

1	system("ping -c4 ${ip_address}");

It’s passing the parameters to bash without sanitizing it **to remove potential injection, so we can execute any other command by simply putting ; after the first one