Code Execution 08

This exercise is one of our challenges on Code Execution

PRO
Tier
Medium
< 1 Hr.
10028

Course


In this challenge, similar to the previous one, we aim to execute a command on the server. However, the current setup prevents the use of slashes (/) in the path, a restriction that's enforced by the Flask route configuration. To work around this, we need to encode our command in base64, allowing us to send it without slashes. Once the server receives the encoded payload, it will decode it using the `b64decode` function from the base64 module, which we load via the `__import__` trick. This method ensures that our command can be executed despite the path restrictions.

The source code review reveals that the route `/hello/` is mapped to the `hello_name` function, which evaluates user input using `eval`. This setup is vulnerable to code injection, but the absence of slashes complicates direct command execution. By encoding our command in base64, we can bypass this limitation. The decoded command is then evaluated, allowing us to achieve our goal of executing commands on the server.

Want to learn more? Get started with PentesterLab Pro! GO PRO