ED 104: CMD Injection (15 pts + 25 extra)

What you need

Purpose

To practice exploiting command injection in a CMD command-line environment.

Essential DOS Commands

Home Directory

From your Windows desktop, click Start. Type CMD and click "Command Prompt".

In the Command Prompt window, execute this command:

dir
A listing of files and folders in the current working directory appears, as shown below.

Your working directory is at its default starting value; your home directory, which is usually C:\Users\username. The working directory appears at the start of every prompt, before the > character, as highlighted in the image below.

In Windows, "directories" are also called "folders".

Making a Subdirectory

In the Command Prompt window, execute these commands:
mkdir steve
cd steve
dir
These commands create a new directory named "steve", change the working directory to "steve", and list the files and folders there. This directory is empty, so it contains only the system-generated files "." and "..", as shown below.

Making a File

In the Command Prompt window, execute these commands:
echo MARK > stevefile
dir
type stevefile
The first command creates a new file named "stevefile" and inserts the text "MARK" into it. The > symbol performs "output redirection", sending the output of the "echo" command into a file.

The new file appears in the directory list.

The "type" command displays the contents of the "stevefile" file.

Directory Traversal

In the Command Prompt window, execute these commands:
mkdir sally
cd sally
echo MARK2 > sallyfile
dir
dir ..
The first three commands create a new folder named "sally", move the working directory into it, and create a new file there named "sallyfile".

The "dir" command shows the contents of the "sally" folder.

The "dir .." command shows the contents of the folder above "sally" folder, also called its parent. Notice that ".." allows you to use a folder that is outside the working directory, by specifying a relative path, which specifies how to get to the desired directory from the current working directory. This is called "directory traversal".


Flag ED 104.1: Access Control List (5 pts)

In the Command Prompt window, execute this command:
cacls sallyfile
This command shows the Access Control List for the "sallyfile" file.

As shown below, several accounts have "Full Control", indicated by the ":F" after the account names.

The flag is covered by a green box in the image below.


Flag ED 104.2 Find the Flag (10 pts)

The frame below lets you see directory contents on my Windows server. However, it has a command injection vulnerability.

There is a folder named "secret" on the server, containing a file named "flag.txt". Read the contents of that file and enter it into the form below the frame to record your success.


Flag ED 104.3 Find the Second Flag (10 pts extra)

There is a file named "flag2.txt" on the same server. Read the contents of that file and enter it into the form below the frame to record your success.

Flag ED 104.4 Find the Hidden Flag (15 pts extra)

There is another flag on the same server. You don't know its directory or filename.

Find the flag in that file.

Hints

it and enter it into the form below the frame to record your success.
Posted 10-18-18 by Sam Bowne
Image for first flag fixed 10-9-19
Instructions for 104.4 added 11-5-19
More hints for 104.4 added 11-16-19