First make sure nodejs and npm are installed on your host machine. After installation, we go to the folder of the lab we want to practice. "i.e /skf-labs/XSS, /skf-labs/RFI/" and run the following commands:
$ npm install
$ npm start
{% hint style="success" %} Now that the app is running let's go hacking! {% endhint %}
When we start the application we can see that we can ping an adress.
Let's try to ping 127.0.0.1
We get back the output of the ping command which tell us this might be vulnerable to a command injection.
Let's try chaining commands
127.0.0.1 ; whoami
We get nothing back, maybe this application has a blacklist
let ip = req.body.text;
ip = ip.replace("`", "");
ip = ip.replace(";", "");
ip = ip.replace("&", "");
exec(`ping -c1 ${ip} > ./ping_output`);We can see in this piece of code the app is removing certain dangerous characters in an attempt to avoid some kind of command injection. Unfortunately there are ways to bypass this blacklist approach. Let's try piping the commands:
127.0.0.1 | whoami
And we have a command injection!
{% embed url="https://owasp.org/www-community/attacks/Command_Injection" %}
{% embed url="https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html" %}