blog
    Lab Walkthrough - Command ...
    12 August 22

    Lab Walkthrough - Command Injection

    Posted byLitesh Ghute
    facebooktwitterlinkedin
    news-featured

    What is Command Injection?

    A cyberattack known as command injection includes running unauthorized commands on the host operating system. Usually, the threat actor inserts the orders by taking advantage of an application flaw, like inadequate input validation.

    1_GJH9YB5KIolUsYRy9dyfwg.png

    Serverless Architecture is said to be more secure compared to traditional architecture. However, this does not mean attacks cannot be performed on it.

    In this article, we will learn how a vulnerable lambda function can be leveraged to get hold of temporary access credentials and interact with the S3 buckets on the AWS account.

    Challenge Statement

    In this lab, we will learn how a vulnerable lambda function can be leveraged to perform a privileged operation.

    Objective: Identify the command Injection vulnerability, leverage it to get hold of temporary access credentials and interact with the S3 buckets on the AWS account.

    Solution

    Step 1: Start our lab to interact with the web application we built for you!

    1_EiTrBGV06wJ2MA0vKkgOWA.png

    Step 2: Navigate to a file that you want to upload and simply drag that file and drop it onto the web application.

    1_vWcALjU7BzmO1VLIEZfcXQ.png

    As you can see, we got an error while uploading the file.

    Step 3: To remove the error we got in the above step, we need to configure our web browser to use a proxy.

    1_Fh795IdHI6yR-9aNl5ECjg.png

    Step 4: Start OWASP ZAP and upload the file again to capture the request.

    In this article, we will be using zap. So, start OWASP ZAP and turn on the intercept to capture the request.

    NOTE: You can use any software, Burp Suite or ZAP just make sure that the intercept is turned on.

    1_QGf6DvLMFjnv5BbRr_thCw.png

    After starting the ZAP and turning the intercept on, you will be able to upload the file and capture the request.

    1_Wg0YI7GW5BcRPaMFene7Dg.png

    Now, simply drag and drop the file to upload it onto the web application. And navigate back to the ZAP.

    Step 5: Turn off the intercept and open the request with the Request Editor.

    1_6UzhYdEMzF9XIxJU98PAoA.png

    In the next step, with the help of the Request Editor, we will make some changes to the request.

    Step 6: Finally, we will perform the command injection attack, and to do that, just add the payload (given below) at the end of line 1 before HTTP/1.1 as shown in the figure.

    Payload

    ;printenv
    1_wlfbQYkc0XYtj6aC5cjzng.png

    After adding the payload, send the request to get the response.

    1_LsujAb5K3SBj7YJA6EVX9Q.png

    In the response we can see that, we successfully received environment variables.

    Step 7: Check the bucket name in environment variables and try to access the bucket.

    Now, search for the bucket name in the response that we got in the above step. And use the below-mentioned URL format to access the S3 bucket.

    URL: https://temporary-public-image-store.s3.amazonaws.com

    1_IR-LAjEBlkld1tM-ythwaA.png

    As you can see, the access was denied! And that is because the bucket cannot be accessed publicly.

    Step 8: Use access keys and session tokens from environment variables to access the bucket.

    Now, we will use the credentials that we got in step 6 and set the environment variables using those credentials.

    Commands:

    export AWS_ACCESS_KEY_ID=<Access Key value>export AWS_SECRET_ACCESS_KEY=<Secret Key value>export AWS_SESSION_TOKEN=<Session token value>
    1_PPOEAXa7lHCmjCjpQuIWlQ.png

    Step 9: To check whether we got access to the S3 bucket or not, let’s try to list the files in the bucket.

    Command:

    aws s3 ls s3://temporary-public-image-store
    1_wIXO4WWjCYngYDgmyHrrtw.png

    We can see that we successfully listed the files present in the S3 bucket. (That means we got the S3 bucket access!)

    Step 10: Download the bucket object.

    Command:

    aws s3 cp s3://temporary-public-image-store/flag.txt ./

    After successfully downloading the bucket object, let’s print the content of the flag.txt file to get the flag.

    Command:

    cat flag.txt
    1_pzh6yxmk5SedPX2Dqxa21A.png

    FLAG: 58f4d2122f6e5e1e23bd0a313a7ba1af

    Voila! We successfully retrieved the flag.

    References:

    1. AWS CLI (https://docs.aws.amazon.com/cli/latest/reference/)
    2. OWASP ZAP (https://owasp.org/www-project-zap/)

    Conclusion

    In this article, we saw how we can leverage the vulnerable lambda function to perform a privileged operation and get hold of temporary access credentials and interact with the S3 buckets on the AWS account. I hope you enjoyed this article. Happy learning!

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo