ED 104: CMD Injection (15 pts + 25 extra)

What you need

Purpose

To practice exploiting command injection in a CMD command-line environment.

Essential DOS Commands

Home Directory

From your Windows desktop, click Start. Type CMD and click "Command Prompt".

In the Command Prompt window, execute this command:

dir
A listing of files and folders in the current working directory appears, as shown below.

Your working directory is at its default starting value; your home directory, which is usually C:\Users\username. The working directory appears at the start of every prompt, before the > character, as highlighted in the image below.

In Windows, "directories" are also called "folders".

Making a Subdirectory

In the Command Prompt window, execute these commands:
mkdir steve
cd steve
dir
These commands create a new directory named "steve", change the working directory to "steve", and list the files and folders there. This directory is empty, so it contains only the system-generated files "." and "..", as shown below.

Making a File

In the Command Prompt window, execute these commands:
echo MARK > stevefile
dir
type stevefile
The first command creates a new file named "stevefile" and inserts the text "MARK" into it. The > symbol performs "output redirection", sending the output of the "echo" command into a file.

The new file appears in the directory list.

The "type" command displays the contents of the "stevefile" file.

Directory Traversal

In the Command Prompt window, execute these commands:
mkdir sally
cd sally
echo MARK2 > sallyfile
dir
dir ..
The first three commands create a new folder named "sally", move the working directory into it, and create a new file there named "sallyfile".

The "dir" command shows the contents of the "sally" folder.

The "dir .." command shows the contents of the folder above "sally" folder, also called its parent. Notice that ".." allows you to use a folder that is outside the working directory, by specifying a relative path, which specifies how to get to the desired directory from the current working directory. This is called "directory traversal".

Flag ED 104.1: Access Control List (5 pts)

In the Command Prompt window, execute this command:

cacls sallyfile

This command shows the Access Control List for the "sallyfile" file.

As shown below, several accounts have "Full Control", indicated by the ":F" after the account names.

The flag is covered by a green box in the image below.

Flag ED 104.2 Find the Flag (10 pts)

The frame below lets you see directory contents on my Windows server. However, it has a command injection vulnerability.

There is a folder named "secret" on the server, containing a file named "flag.txt". Read the contents of that file to find the flag.

Recommended process:

  • Find a way to use "dir" to search the whole hard disk
  • Find a folder named "secret" that was created in 2019
  • Display the contents of the flag file in that folder

Flag ED 104.3 Find the Second Flag (10 pts extra)

There is a file named "flag2.txt" on the same server. Read the contents of that file to find the flag.

Flag ED 104.4 Find the Hidden Flag (15 pts extra)

There is another flag on the same server. You don't know its directory or filename.

Find the flag in that file.

Hints

  • It's not in the C:\Users\vuln4g or C:\Users\vuln4t directories--those files are for a different project.
  • The filename contains "flag"
  • The file was created in October, 2019
  • You need to get the file off the server and analyze it locally
  • Certutil rocks

Posted 10-18-18 by Sam Bowne
Image for first flag fixed 10-9-19
Instructions for 104.4 added 11-5-19
More hints for 104.4 added 11-16-19
Background color changed 1-18-23
Another hint for 104.4 added 2-16-23
More hints for 104.2 added 3-9-23
Video added 3-15-23