HTB Certified Active Directory Pentesting Expert is live! (25% OFF on Gold Annual Plan — for a limited time!) Learn More

Whitebox Pentesting 101: Command Injection

This module focuses on discovering Command Injection vulnerabilities in NodeJS servers and exploiting them to control the server.

4.70

Created by 21y4d

Hard Offensive

Summary

In the Whitebox Pentesting 101 Module, you will build upon what you learned in the Secure Coding 101 module through identifying a Command Injection vulnerability in a NodeJS server and exploiting it to get control over the remote server.

This module is your first step in learning the techniques of Whitebox Pentesting.

Whitebox Pentesting 101

Unlike Blackbox Pentesting, in which an attacker is given no prior knowledge or access to what they would attack, in Whitebox Pentesting, you have complete access to the codebase, debugging tools, and the local environment. This enables you to get a better understanding of the code design, and therefore identify hard-to-find vulnerabilities, which otherwise would be usually impossible to find using Blackbox Pentesting only.

In this module, you will learn the basics of Whitebox Pentesing, as follows:

  • Code Review: Review the code and identify potential vulnerabilities
  • Command Injection: Intro to Injections and Command Injections
  • Local Debugging: Chart your way towards the vulnerable function
  • Exploitation: Craft your payload to get remote code execution

Requirements

This module builds upon the Secure Coding 101 module and assumes that you have already completed it. Hence, you are expected to be familiar with concepts discussed in it, such as Code Review, Reverse Engineering, and Deobfuscating JS Code, and Secure Coding.

Introduction


Welcome to the Whitebox Pentesting 101: Command Injection module!

When we begin a Whitebox Pentesting exercise, we start by reviewing the codebase and analyzing it for vulnerabilities, as learned in the Secure Coding 101 module. Once we identify a potential vulnerability, we start our attempts to exploit it, through planning, local debugging, and eventually exploitation, which is what we will cover in this module.

In this module, we will discuss four main topics, as follows:

  1. Code Review 'highlights'

  2. Command Injection

  3. Local Debugging

  4. Exploitation

For example, we can imagine that our client has invited us to their site and asked us to analyze the application's code and check for vulnerabilities. One of the most common vulnerabilities in newly written code is the Command Injection vulnerability. These vulnerabilities are mostly caused by the inattention and time pressure that the developers have to endure during the development process.

This often results in solving complex processes as simple as possible, which leads to functions not being written correctly, allowing certain types of privilege escalation or breakouts. Some functions are then written in such a way that they execute internal system commands. Our goal is to identify these vulnerabilities during the Whitebox penetration test.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.