Simon McCabe

OSCP · OSWP · PWPP · PWPA · PAPA · EnCE · Linux+ · LPIC-1 · Network+ · Security+ · Pentest+ · eJPT · eWPT · BSc · PGCert

Certable Writeup

Platform: WebVerse
Target: https://502f9577-3953-certable-947fd.events.webverselabs-pro.com
Vulnerability classes: Command Injection

cover.png

1. Enumeration


I tried for a short while to enumerate the app but it was quite clearly going to be something wrong with the key generation function so I began looking at it. Before long, I figured I'd try to see if I could attack it since there was little / no functionality elsewhere.

2. Sleep for a while


I tried a sleep payload and sure enough, the app did indeed take 10 seconds to respond.

1.png

Now, I knew I was dealing with blind command injection. I just had to see what I was able to do.

2.png

I tried to cat the /etc/passwd file and send it to the webroot as exfil.txt. The problem here was that I got an error. But...had the command ran?? You bet it had.

3.png

Now I just needed to find the flag. To find the flag, I ran the ls command and since this was all blind, I piped the results into the exfil file.

4.png

From here, I could see the flag which in turn let me know what location it was in.

5.png

3. Blind command inj 2 flag


I ran the following command:

6.png

...and as expected, this put the flag.txt contents into file.txt on the webroot. Simply browsing to this revealed the flag.

7.png

I enjoyed this lab. Very cool vulnerability and it make me think a bit outside of the box. I did try to use external request catchers but they were firewalled off, so it made sense to write to the web page as I could access this information easily within the browser. Thanks for reading!

🍺 Quick message to readers: if my writeups help you, please consider a small donation to my buymeacoffee link here. This is not required but is very much appreciated! 🍺

LinkedIn X YouTube GitHub