Proj 17: CMD Injection (15 pts + 15 pts extra)

What you need

Purpose

To practice exploiting command injection in a CMD command-line environment.

17.1 Essential DOS Commands (5 pts.)

Home Directory

From your Windows desktop, click Start. Type CMD and click "Command Prompt".

In the Command Prompt window, execute this command: 

dir
A listing of files and folders in the current working directory appears, as shown below.

Your working directory is at its default starting value; your home directory, which is usually C:\Users\username. The working directory appears at the start of every prompt, before the > character, as highlighted in the image below.

In Windows, "directories" are also called "folders".

Making a Subdirectory

In the Command Prompt window, execute these commands: 
mkdir steve
cd steve
dir
These commands create a new directory named "steve", change the working directory to "steve", and list the files and folders there. This directory is empty, so it contains only the system-generated files "." and "..", as shown below.

Making a File

In the Command Prompt window, execute these commands: 
echo MARK > stevefile
dir
type stevefile
The first command creates a new file named "stevefile" and inserts the text "MARK" into it. The > symbol performs "output redirection", sending the output of the "echo" command into a file.

The new file appears in the directory list.

The "type" command displays the contents of the "stevefile" file.

Directory Traversal

In the Command Prompt window, execute these commands: 
mkdir sally
cd sally
echo MARK2 > sallyfile
dir
dir ..
The first three commands create a new folder named "sally", move the working directory into it, and create a new file there named "sallyfile".

The "dir" command shows the contents of the "sally" folder.

The "dir .." command shows the contents of the folder above "sally" folder, also called its parent. Notice that ".." allows you to use a folder that is outside the working directory, by specifying a relative path, which specifies how to get to the desired directory from the current working directory. This is called "directory traversal".

Access Control List

In the Command Prompt window, execute this command: 
cacls sallyfile
This command shows the Access Control List for the "sallyfile" file.

As shown below, several accounts have "Full Control", indicated by the ":F" after the account names.

One of the accounts has a name beginning with "NT", and is covered by a green box in the image below.

Enter that name into the form below to record your success.

17.1: Recording Your Success (5 pts)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Account name:

17.2 Find the Flag (10 pts)

The frame below lets you see directory contents on my Windows server. However, it has a command injection vulnerability.

There is a folder named "secret" on the server, containing a file named "flag.txt". Read the contents of that file and enter it into the form below the frame to record your success.

17.2: Recording Your Success (10 pts)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Flag:

17.3 Find the Second Flag (10 pts extra)

There is a file named "flag2.txt" on the same server. Read the contents of that file and enter it into the form below the frame to record your success.

17.3: Recording Your Success (10 pts extra)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Flag:

17.4 Find the Hidden Flag (15 pts extra)

There is another flag on the same server. You don't know its directory or filename.

Find it and enter it into the form below the frame to record your success.

17.4: Recording Your Success (15 pts extra)

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Flag:

Posted 10-18-18 by Sam Bowne