DAY 1: Injection

4 min readJun 6, 2022

An image of a syringe with SQL written on it to signify SQL injection

Please note: This is part one of a 10-part series on TryHackMe OWASP top 10 room

An injection flaw/vulnerability allows for threat actors to pass malicious code through an application to another system. An attacker could exploit this vulnerability to execute arbitrary system commands on application servers in what is known as the OS command injection; or query the database by passing SQL parameters in an SQL injection attack.

The OS command injection enables modification of actions taken by a system call. This form of attack can enable you to take over/own a web server.

The SQL injection attack on the other hand can enable you to run queries to retrieve, modify, delete or create entries in the database.

PRACTICAL LAB 1: COMMAND INJECTION

The first lab on Try Hack Me (THM) is command injection. In this practical, you are expected to exploit a web app that was left vulnerable to command injection.

To access the web server on your personal machine, install OpenVPN and configure it as instructed on the Openvpn room.

Once you start your machine and access it on the browser, it should land you on such a page;

THM Command injection web application landing page

First, before starting the questions, I ran a command to check whether the underlying web server OS is Windows or Linux;

For Windows, I ran $ver — this gave no output indicating that it is likely that the server OS is not Windows.

I ran $uname — an equivalent for Windows $ver. With this, I was able to establish that the underlying OS is Linux.

Now that we know that the server we are probing is running on Linux, we will only use Linux commands.

On to THM questions ….

NB: Most of the answers are blocked to encourage following the walk-through to get the answers. We are all about learning 😊

I use $command to show commands. Ignore the $ sign when running the commands on your side.

What strange text file is in the website root directory?

Run the $ls command to view files in the current directory. From this command, you get the .txt file required

How many non-root/non-service/non-daemon users are there?

User account information on Linux is usually found in the /etc/passwd file. To solve this question, run $cat etc/passwd

The format of etc/passwd file output is; username:password:userID(UID):groupID(GID):Home_directory:Command/shell

e.g root:x:0:0:root:/bin/bash

The output shows only root, daemon and service users.

What user is this app running as?

$whoami command checks the current user is

What is the user’s shell set as?

Running $whoami showed that the user is www-data. In order to check the user’s shell, we check its value in the /etc/passwd file;

What version of Ubuntu is running?

The lsb_release command displays Linux Standard Base (LSB) information on the specific Linux distribution. Run $lsb_release -a to find the version

Print out the MOTD. What favorite beverage is shown?

I did a quick Google search on where motd may be stored in Ubuntu. This search revealed that the content is contained on /etc/motd

Another entry shows that you may modify the MOTD on a script within the /etc/update-motd.d directory

Running $ cat /etc/motd.d shows no output. This means that the file is either not existent or contains no information.

Since we know that the file is in the /etc/ folder, we can list all files in the folder and search for motd;

In the output, there is an update-motd.d directory (similar to the one we saw on the Google search)

Running the $ ls command to view files in the directory;

$ ls /etc/update-motd.d

View the content of the files within the directory, starting with 00-header;

That’s it on Command Injection. I hope you learnt a thing or two. See you on Day 2!